Tomcat and Session timeouts

C

Carl Howells

I'm using Tomcat 5.0.16. I'm using Realm based security for authentication of users.
I'm using form-based authentication. This means that the the authentication lasts
while the user's session stays valid. This is the effect I want, as I want to be
able to log someone out just by using HTTPSession.invalidate().

However, it leaves me in a bit of a predicament when the session times out. Because
it's container managed security, if the user has been sitting at a protected page the
whole time, then refreshes, they'll be sent directly to the login page again, rather
than being told that their session timed out (or whatever message I'd use.) What I'd
like to do is have the login form at least tell them that they have to log in again
because they were inactive too long. Is there any way to do this while using
container managed security?
 
T

Tony Morris

However, it leaves me in a bit of a predicament when the session times
out. Because
it's container managed security, if the user has been sitting at a protected page the
whole time, then refreshes, they'll be sent directly to the login page again, rather
than being told that their session timed out (or whatever message I'd use.) What I'd
like to do is have the login form at least tell them that they have to log in again
because they were inactive too long. Is there any way to do this while using
container managed security?
Click to expand...

Use a HttpSessionListener.
If the session times out, you could update a dynamic message that the login
page displays.

--
Tony Morris
(BInfTech, Cert 3 I.T., SCJP[1.4], SCJD)
Software Engineer
IBM Australia - Tivoli Security Software
(2003 VTR1000F)
 
C

Carl Howells

Tony said:
Use a HttpSessionListener.
If the session times out, you could update a dynamic message that the login
page displays.
Click to expand...

What am I missing? If the Listener notifies my code of a timeout, I know that a
given user's session has timed out. And so I know that when that listener hits the
login page again, I should include a timeout message. But how do I know when that
particular user hits the timeout page again? I can't get session information from
them anymore, can I?

Or do I need to use some extra mechanism to keep track of the user name they think
they've logged in with, like a cookie or some kind URL encoded information? I'd
really like to avoid having an extra mechanism if I can.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Problem with a login script, SESSION user rights and put this together so it works with the other pages and MySQL. Code examples. 2
Session timeouts and dynamic MasterPages 4
Java Application 1
Different session timeouts between ASP and ASP.Net 0
Timeouts: session and authentication 2
Tomcat Session Timeout - Parse Error 3
Authentication without authorization in tomcat 5.5 0
Tomcat - One login only 6

Members online

Total: 33 (members: 2, guests: 31)
Robots: 485

Forum statistics

Threads
473,769
Messages
2,569,579
Members
45,053
Latest member
BrodieSola

Latest Threads

Top