I have a default installation of Tomcat 6.0, and I have an app that stores information in the session variable.
It seems that my session is invalidated after a short period of inactivity. So long as I'm navigating to another page every few seconds, the session data is there, but if I stop clicking for about half a minute, the session id that the browser stores changes. (I've confirmed this using Firebug, and see the same behavior from IE8 which is my target browser.)
Why might this be happening? The web.xml for my app specifies 30 minute sessions, and I've made a call to session.setMaxInactiveInterval(60) to see if that changed anything, but it doesn't seem to.
Sanity check:
My web app web.xml starts like this:
<?xml version="1.0" encoding="utf-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_5.xsd"
version="2.5">
<session-config>
<session-timeout>30</session-timeout>
</session-config>
My server's web.xml contains these lines:
<session-config>
<session-timeout>30</session-timeout>
</session-config>
According to this, the method you use take the input as seconds, not minutes, so you would be making things worse.
As for the rest, I'd think about the code that is using the session since the web.xml fragment looks ok.
Some of the lastest versions of Tomcat 6 have a feature named "Session Fixation" which changes the session Id after you login.
Related
Currently I have added this in my web.xml
<session-config>
<session-timeout>1</session-timeout>
</session-config>
But after one minute session is not getting expired,
I don't know whats wrong can anyone let me know where i'm doing wrong
I followed this article and created simplest websocket echo application. Although article is about Glassfish, I successfully run my app under Jetty 9, as they are using standard javax.websocket API in article.
It works just fine, but now I want to secure websocket connection. I googled around and found most examples are written as standalone Java application (with public static void main() method). They create new ConnectionFactory and starts server from their code (like here for example).
But I want to run my app under Jetty as a container, so I want to just specify some options in web.xml or something, to secure my connection. So I found this article and modified my web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1">
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected resource</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<!-- https -->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
</web-app>
The problem is it doesn't work. Probably because article is about Glassfish again.
How it is does NOT work:
My IDE (IDEA) shows red all tags inside <security-constraint>, that means schema validation is failed and these tags can not be contained inside <security-constraint>
When I try to open index.html over HTTPS I get error ssl_error_rx_record_too_long in browser and also there are two errors in Jetty output:
Illegal character 0x16 in state=START for buffer HeapByteBuffer
and
badMessage: 400 Illegal character 0x16 for HttpChannelOverHttp
So.. What I am doing wrong? How to make secured websocket via Jetty or application configuration?
The security constraint tag you described is mostly used for specify BASIC authentication mode in application server.
I guess you want to enable HTTPS and not authentication. For enabling HTTPS you may follow this article: https://wiki.eclipse.org/Jetty/Howto/Configure_SSL
I am working with primefaces 3.4 and JSF 2.0.4, I´ve set up the session to be over in 30 minutes in web.xml
<session-config>
<session-timeout>30</session-timeout>
</session-config>
And i have an iddleMonitor set up to show up in 25 minutes, however, suddenly the session gets lost, and iddlemonitor does not show up, and the application does not work,
Anybody has face this problem? any solution?
In my WAR's web.xml, I added the following XML tags:
<session-config>
<session-timeout>1</session-timeout>
</session-config>
Although I've done that, the session doesn't timeout after 1 minute. I registered a HttpSessionListener to monitor the session creation\destruction:
<listener>
<listener-class>my.listener.SessionListener</listener-class>
</listener>
...and only the session-creation indicator method is called when a session is created, but the session-destruction method isn't called after one minute as expected, yet its called after 20 minutes though, which is the default timeout duration in OC4J.
How can I change this default behavior ?!
I have following configuration in web.xml in tomcat 7. I am wondering if I can add any configurable parameter here, so that if user tries to do any operation post 30 minutes, I redirect the user to our home page.
<session-config>
<session-timeout>30</session-timeout>
<cookie-config>
<domain>mydomain.mycompany.com</domain>
<http-only>true</http-only>
<secure>false</secure>
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
This is probably not possible by configuration only. You will have to add a filter aswell. One way of doing that is described here: https://stackoverflow.com/a/1027592/3417638
If you would like to configure the redirect in web.xml, this can be done by using a context-parameter, see: https://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Context_Parameters