tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Session time out never takes place with ajax
Date Thu, 10 Nov 2011 06:03:53 GMT
Hash: SHA1


On 11/9/11 12:56 AM, Sharon Prober (sprober) wrote:
> This is my first post here so wish me luck J


> My question is as follow:
> I have a web based application running on tomcat 6.0.29
> On my main page there is a polling ajax call every 5 seconds.
> Clearly this revalidates the session and by that renders the
> session timeout feature unusable


> I read about two main solutions for this issue
> 1.       Coding on the server side (filter) a simple snippet that 
> identifies an ajax call based on a parameter passed and based on
> that knows if this is a valid post or a polling hit that should not
> affect the session expiration date

This is problematic for a few reasons:

1. You usually want a polling request to return something of use, which
   often involves the session. You can't access the session without
   updating its last-accessed-time.

2. Under certain configuration, Tomcat will update the
   last-accessed-time of the session even if you don't call

   This may be only the case in Tomcat 7 with the following
   configuration settings:

   See the org.apache.catalina.core. StandardHostValve.ACCESS_SESSION
   and org.apache.catalina.STRICT_SERVLET_COMPLIANCE system properties

> 2.       Create a stub webapp and redirect the calls of the polling
> to that app

I'm not sure this buys you anything: if you pass-through calls to the
"real" webapp, then you'll still be touching the session.

> So my question is, is there another way for this to be achieved?

It would be best to describe what your "ping" actually does. If it
doesn't require session access, you may have some options.

> Note. I think it might be a cool feature (with the vast ajax use
> these days) to have a configuration in the web.xml the excludes
> various paths/urls from the session validation checkups

This would, by definition, be a violation of the specification.
Instead, something like a Valve placed early in the pipeline could
avoid a session update but still perform some trivial action.

- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools -
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message