I am using Tomcat 7.0, Spring 4.0.2, Web Module 3.0 in eclipse for my web application.
And I configured my session timeout in app/web.xml as well as tomcat/conf/web.xml.
<session-config><session-timeout>10</session-timeout></session-config>
I am sending one request called captureLastActiveTimeForCurrentFile after every 5 mins.
I need to ignore one request (suppose, captureLastActiveTimeForCurrentFile) from updating lastAccessedTime of session.
According http://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Sessions (org.apache.catalina.core.StandardHostValve.ACCESS_SESSION) default behavior of tomcat is : every request that is associated with a session will cause the session's last accessed time to be updated if the request explicitly accesses the session.
I am not accessing session explicitly from request (HttpServletRequest object) captureLastActiveTimeForCurrentFile. So According to my understanding tomcat should invalidate session after 10 min from any request done which is accessing session explicitly. But In my case tomcat never invalidate session because I am sending captureLastActiveTimeForCurrentFile after every 5 mins. But according to docs it should be. Can Anyone help me to understand what is happening here? Thanks in advance.
EDIT : I found some discussion regarding this topic here. But still I am not getting actual problem.
Related
If i add spring-session jdbc to my vaadin-spring-boot-application the application is very slow and does a full page reload after a few seconds. Everything else looks like it is working normally.
I do not notice the problem and I have been researching on this issue for a few days and got this Github issue and Vaadin microservices configuration But in these, I did not find a suitable solution to solve this problem, Any one can give me an true example to implemention Spring sessions on Vaadin?
Regards.
Session replication schemes like spring-session assumes that the session is relatively small and that the content isn't sensitive to concurrent modification from multiple request threads. Neither of those assumptions hold true for a typical Vaadin application.
The first problem is that there's typically between 100KB and 10MB of data in the session that needs to be fetched from the database, deserialized, updated and then again serialized and stored in the database for each request. The second problem is that Vaadin stores a lock instance in the session and uses that to ensure there aren't multiple request threads using the same session concurrently.
To serialize a session to persistent storage, you thus need to ensure your load balancer uses sticky sessions and typically also use a high performance solution such as Hazelcast rather than just deserializing and serializing individually for each request.
For more details, you can have a look at these two posts:
https://vaadin.com/learn/tutorials/hazelcast
https://vaadin.com/blog/session-replication-in-the-world-of-vaadin
We are using alfresco 5.2.3 enterprise with ADF 3.4.0
The web.xml files in our both alfresco and share war has 60
And for ADF we have not found any session timeout settings or config.
So, ideally the session should not expire before 60 mins, but the customer is complaining that after remaining idle for around 15 mins, their session expires/logs out. They need to relogin.
So, what should be the ideal way to make the session valid for actual 60 mins and not just 15 mins.
I tried overriding the session timeout using the following link but it's not working:
Overriding alfresco timeout
Also tried setting the following property in alfresco-global.properties file with different values:
authentication.ticket.validDuration=PT1H
But does not work.
The same behaviour is noted when we use ADF url as well as Share url.
Share Url actually logs out the user, ADF url mostly invalidates the session so our custom actions do not appear against the documents if user remains idle for 15 mins.
NOTE: There is no SSO integration done for our project.
Any suggestions or pointers would be really helpful.
I tried out with multiple options:
authentication.ticket.ticketsExpire=true
to
authentication.ticket.ticketsExpire=false
authentication.ticket.expiryMode=AFTER_INACTIVITY
to
authentication.ticket.expiryMode=DO_NOT_EXPIRE
authentication.ticket.useSingleTicketPerUser=false
to
authentication.ticket.useSingleTicketPerUser=true
But, none of the above settings after restart give any impact on the behaviour. So, this session timeout settings are mostly carried forward from the proxy server or load balancer settings and applied here.
I have a webapp deployed successfully in Jetty webserver.
The webserver responds to requests fine.
When I access the app it renders the home page.
Recently I noticed that when I don't use the app for certain period of time it breaks somehow. The period is somewhere around 2/3 weeks.
When I access the webapp after 2/3 weeks of idle I receive this output.
If I try to access any other link, i.e. the login page (/login.faces) I receive:
Problem accessing /error/not-found.faces. Reason:
/error/not-found.xhtml Not Found in ExternalContext as a Resource
which normally used to work before idling.
If I restart the webserver everything returns to normal and works fine. There are scheduled tasks set which make the app interact every day with database. (There is a scheduled task for fetching currency rates via webservice).
Therefore, my question is what would be the cause which breaks the site and makes it unavailable after idling? Is this a webserver (jetty) issue? Am I missing any setting which is crucial?
FYI, the project structure is: Java with Spring, Hibernate, JSF (PrimeFaces) and Jetty
This occurred due to permissions in CentOS.
If anyone faces the same issue make sure to check the logs have appropriate permissions to read and write
I have a tomcat 8 server in which i have two web app. I want to give access to both application by authenticating once an user.
I did it by setting sessionCookiePath="/" in catalina/conf/context.xml like this :
<Context useHttpOnly="false" sessionCookiePath="/">
Now the problem i am facing is tomcat is not changing session ID anymore. I got a warning message.
Warn org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy - your servlet container did not change the session id when a new session was created
On the link, it is said that tomcat is taking care of that by default.
http://www.tomcatexpert.com/blog/2011/04/25/session-fixation-protection
How can i fix it ?
Thanks
Yes, this is expected behaviour. The documentation hints at this but
does not make it explicitly clear.
Setting sessionCookiePath="/" is treated as a special case to support
portlet implementations. Once one web application obtains a session all
subsequent sessions for any web application also configured with
sessionCookiePath="/" will always get the same session ID. This holds
even if the session is invalidated and a new one created.
If a set of web application operates in this mode, changing the session
ID is a lot harder. You'd have to write a custom Tomcat component to do
it for you and even then I'm not sure that you can guarantee a smooth
change over.
I am working on a large complicated Tapestry service. It generally works but sometimes when running for a while the session it is in will get invalidated, and it will send an error. There is nothing about this service that should need the session but sometimes it depends on a service that depends on a service that "needs" the session.
I want to pragmatically invalidate the session in my tests, so I can protect against regression. Ideally I would do this without killing the session in the production code, which is how I am testing it now.
Specificly, we are testing the service by running the server and making http calls, and also by extending TapestryIoCTestCase. I can't think of any clean way to invalidate a session from the http client tests. and the Mock session created for TapestryIoCTestCase does not support invalidation.
I have looked into setting the session time-out in the tests, but I was hoping for something more direct.
Thanks
e for instance someone at somepoint wanted to set the locale in one of our dependencies
java.lang.IllegalStateException: setAttribute: Session [31943F300613D2105C9AF8602397557D] has already been invalidated
at org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1437)
at org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1402)
at org.apache.catalina.session.StandardSessionFacade.setAttribute(StandardSessionFacade.java:156)
at org.apache.tapestry5.internal.services.SessionImpl.setAttribute(SessionImpl.java:67)
at org.apache.tapestry5.internal.services.SessionApplicationStatePersistenceStrategy.set(SessionApplicationStatePersistenceStrategy.java:68)
at $ApplicationStatePersistenceStrategy_13c1cafe292.set($ApplicationStatePersistenceStrategy_13c1cafe292.java)
at org.apache.tapestry5.internal.services.ApplicationStateManagerImpl$ApplicationStateAdapter.set(ApplicationStateManagerImpl.java:50)
at org.apache.tapestry5.internal.services.ApplicationStateManagerImpl.set(ApplicationStateManagerImpl.java:138)
at $ApplicationStateManager_13c1cafe272.set($ApplicationStateManager_13c1cafe272.java)
I'm assuming you are referring to the HttpSession which can be invalidated by calling HttpSession.invalidate(). Though in all honesty your question provides too little information for a proper answer. What is your setup? What have you tried? What does your code look like? Are you mocking your Servlet Container? Etc...
Questions without code are hard to answer.