Tomcat creates a cookie with a new jsessionid when timeout occurs

L

laamorim

Hi there.

I have the following problem in my web application.
I am using the url rewriting method for session maintenance, but when a
timeout occurs in my web application, tomcat sets a cookie named
jsessionid (used for session tracking purposes) with a new session id
value before redirecting the user to the login page. This jsessionid
cookie value does not match the previous session id, it is a new one,
and is also different from the new one created in the (re)login
process.

Why does this happen? Does tomcat always create a jsessionid cookie
when a timeout occurs? And if this is a tomcat issue, how do I disallow
this (if it is possible, anyway)?

Regards.
 
A

Andrea Desole

laamorim said:
Hi there.

I have the following problem in my web application.
I am using the url rewriting method for session maintenance, but when a
timeout occurs in my web application, tomcat sets a cookie named
jsessionid (used for session tracking purposes) with a new session id
value before redirecting the user to the login page. This jsessionid
cookie value does not match the previous session id, it is a new one,
and is also different from the new one created in the (re)login
process.

Why does this happen? Does tomcat always create a jsessionid cookie
when a timeout occurs? And if this is a tomcat issue, how do I disallow
this (if it is possible, anyway)?

You said it yourself: after the timeout tomcat makes a new session. Your
previous session is gone. You can change the timeout expiration in the
web.xml: look at the "session-timeout" element. You can also make the
sessions not expirable, but that means that they will stay undefinitely
on the server. Not a good idea.
 
L

laamorim

Yes, I know my previous session is gone, but I do not want tomcat to
create a new session when the timeout occurs.

The problem is that when the user (re)logins after the timeout, in the
(re)login process a new session is created via url rewriting, so after
the login I have two sessions. And after the login process has been
completed, when the user navigates through the web site tomcat always
gets the session from the jsessionid cookie created in the timeout, and
I do not want this to happen.

Is there any way to tell Tomcat to never use cookies for session
management?


Andrea Desole escreveu:
 
A

Andrea Desole

laamorim said:
Yes, I know my previous session is gone, but I do not want tomcat to
create a new session when the timeout occurs.

that's not possible. When the session is gone, the user that
(re)connects is for tomcat a new user, since it can't find the old
session. Hence, Tomcat makes a new session. The only thing you can do is
to prevent a session from expiring
The problem is that when the user (re)logins after the timeout, in the
(re)login process a new session is created via url rewriting, so after
the login I have two sessions. And after the login process has been
completed, when the user navigates through the web site tomcat always
gets the session from the jsessionid cookie created in the timeout, and
I do not want this to happen.

if this is your problem maybe a solution is to use a session listener.
With it you can serialize the current session information somewhere when
the session expires, maybe even keep it in a map at application scope,
and then you can restore the session when the user logs in again
Is there any way to tell Tomcat to never use cookies for session
management?

And how do you want to implement session management? Either in the
cookies or in the url you must specify a session id.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,902
Latest member
Elena68X5

Latest Threads

Top