Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id DCA4518CCC for ; Wed, 2 Dec 2015 15:57:35 +0000 (UTC) Received: (qmail 92616 invoked by uid 500); 2 Dec 2015 15:56:33 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 92552 invoked by uid 500); 2 Dec 2015 15:56:33 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 92540 invoked by uid 99); 2 Dec 2015 15:56:33 -0000 Received: from Unknown (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Dec 2015 15:56:33 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id DAD51180975 for ; Wed, 2 Dec 2015 15:56:32 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.98 X-Spam-Level: X-Spam-Status: No, score=0.98 tagged_above=-999 required=6.31 tests=[KAM_LAZY_DOMAIN_SECURITY=1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=disabled Received: from mx1-eu-west.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id raGzAym6NkVA for ; Wed, 2 Dec 2015 15:56:25 +0000 (UTC) Received: from vms173019pub.verizon.net (vms173019pub.verizon.net [206.46.173.19]) by mx1-eu-west.apache.org (ASF Mail Server at mx1-eu-west.apache.org) with ESMTPS id D2EC82304B for ; Wed, 2 Dec 2015 15:56:24 +0000 (UTC) MIME-version: 1.0 Content-transfer-encoding: 8BIT Content-type: text/plain; charset=utf-8 Received: from Christophers-MacBook-Pro.local ([71.127.40.115]) by vms173019.mailsrvcs.net (Oracle Communications Messaging Server 7.0.5.32.0 64bit (built Jul 16 2014)) with ESMTPA id <0NYQ00F0HMXAFFA0@vms173019.mailsrvcs.net> for users@tomcat.apache.org; Wed, 02 Dec 2015 09:55:59 -0600 (CST) X-CMAE-Score: 0 X-CMAE-Analysis: v=2.1 cv=WcjxEBVX c=1 sm=1 tr=0 a=tVXBnewmVzifmTgg5+7jYA==:117 a=-57I09spAAAA:8 a=oR5dmqMzAAAA:8 a=IkcTkHD0fZMA:10 a=wUQvQvOEmiQA:10 a=mV9VRH-2AAAA:8 a=FSOUx-3mYI_WT7FARWgA:9 a=QEXdDO2ut3YA:10 a=kMaoRU0uFRoA:10 Subject: Re: Detecting Expired Session via JavaScript? To: Tomcat Users List References: <565DD929.4040508@malcolms.com> <565DF75F.9080008@malcolms.com> From: Christopher Schultz X-Enigmail-Draft-Status: N1110 Message-id: <565F148E.9050002@christopherschultz.net> Date: Wed, 02 Dec 2015 10:55:58 -0500 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 In-reply-to: <565DF75F.9080008@malcolms.com> Jerry, On 12/1/15 2:39 PM, Jerry Malcolm wrote: > On 12/1/2015 12:17 PM, Jose MarĂ­a Zaragoza wrote: >> >> ts automatically resets the session timer. >> Only if the request goes to the same application. >> You can create a HttpSessionListener who saves some info on a shared >> store when session is expired. >> Anothe REST service could check the status of the session when is >> requested by your page > Jose, > > I understand the listener and storing the state in common storage. But > I'm confused on your statement above about the same application. I have > several web apps running on the same host instance. They all share a > common login using SingleSignOn. Each application has a distinct HttpSession object. The SingleSignOn cookie allows each application to re-authenticate using the SSO information, so you get a new HttpSession if your old one times out. > If I hit any of the apps it resets the timer. I don't think hitting app A will reset the session timeout of app B's session. (Or maybe it does, but I didn't think that's how SSO worked in Tomcat. Unfortunately, the SSO documentation[1] doesn't actually say exactly how all this works.) > Do they all have separate sessions but share a common login state? Yes. > What is the relationship between "logged in" and separate webapp > sessions that come and go independently. What I really care about is > whether the authenticator is going to bounce the request to a login page > or not. It still seems like calling any app is going to reset the > logged-in timer if I'm using single sign-on (?). The authenticator is not going to sent you to a login page for any application unless either of these events occurs: (a) You explicitly log-out from one of the applications. This will terminate the SSO cookie and revoke your logins on all associated applications. (b) Your SSO cookie (or server-based info) expires. Then you will be asked to authenticate again. If you are using SSO, this adds a bit of mystery to the situation, since what you really want to find out is whether the /SSO token/ is still valid. The validity of any of the various individual-application session identifiers is irrelevant, since if the SSO token is valid, you will be automatically re-authenticated to the individual applications. I think you may have to re-think how you detect the expiration of your users' logins. -chris [1] http://tomcat.apache.org/tomcat-8.0-doc/config/host.html#Single_Sign_On --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org