I am using JBoss 7 and I have configure my session config in web.xml as follows:
<session-config>
<session-timeout>240</session-timeout>
<http-only>true</http-only>
</session-config>
However, in my servlet, i am getting a nullpointerexception when I try to retrieve the current session as follows:
request.getSession(false);
Am I missing anything?
That seems correct per the documentation.
Snippet:
Returns the current HttpSession associated with this request or, if there is no current session and create is true, returns a new session.
If create is false and the request has no valid HttpSession, this method returns null.
After looking again at your web.xml snippet, it's not quite correct. The <http-only/> is not part of the <session-config/>. Move it into <cookie-config/> as per the following:
<session-config>
<session-timeout>240</session-timeout>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
</session-config>
Related
Currently I have added this in my web.xml
<session-config>
<session-timeout>1</session-timeout>
</session-config>
But after one minute session is not getting expired,
I don't know whats wrong can anyone let me know where i'm doing wrong
In my WAR's web.xml, I added the following XML tags:
<session-config>
<session-timeout>1</session-timeout>
</session-config>
Although I've done that, the session doesn't timeout after 1 minute. I registered a HttpSessionListener to monitor the session creation\destruction:
<listener>
<listener-class>my.listener.SessionListener</listener-class>
</listener>
...and only the session-creation indicator method is called when a session is created, but the session-destruction method isn't called after one minute as expected, yet its called after 20 minutes though, which is the default timeout duration in OC4J.
How can I change this default behavior ?!
I have following configuration in web.xml in tomcat 7. I am wondering if I can add any configurable parameter here, so that if user tries to do any operation post 30 minutes, I redirect the user to our home page.
<session-config>
<session-timeout>30</session-timeout>
<cookie-config>
<domain>mydomain.mycompany.com</domain>
<http-only>true</http-only>
<secure>false</secure>
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
This is probably not possible by configuration only. You will have to add a filter aswell. One way of doing that is described here: https://stackoverflow.com/a/1027592/3417638
If you would like to configure the redirect in web.xml, this can be done by using a context-parameter, see: https://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Context_Parameters
How can i redirect user after session timeout? I have found some solutions but my problem is a little different. I got only one page and when the user clicks a button after timeout, he will be redirected to login page. Is there any solution?
web.xml
<session-config>
<session-timeout>
1
</session-timeout>
</session-config>
set session timeout in your web.xml - and config spring secruity as you want it.
to set http-only I used this in web.xml
<session-config>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
</session-config>
but it is not setting http-only.
can any one suggest, what may be the problem. and how to set it.
Thanks.
Which container are you using and in which version?
pay attention since true can be used in web.xml only since servlet 3.0