That is rather interesting. The SecureCountVisits page does not check
for isSessionExpired() as does the CountVisits page.
It appears that when a session expires, the strategy is to call
Application.handleInvalidSession() which basically removes the _SID_
reference so the browser will stop requesting an invalid session, and
marks request._sessionExpired. It does not however, delete the session
The sesion object remains attatched to the transaction for the remainder
of the transaction processing by the servlet. It is up to the servlet
to check the request.isSessionExpired() and take appropriate action of
notifying the user that their session has expired at this point.
The SecureCountVisits page does not check for the isSessionExpired() and
therefore uses the session even when it is expired. However since
handleInvalidSession() has already run, the cookie identifying the
session has been removed (or will be removed when the response is
flushed.) Therefore on the next invocation of the page there is no
cookie identifying a session so you are prompted with the login page.
Probably what should happen, is that the SecureCountVisits example
should be updated to include a check for isSessionExpired() and then
display an expired sesion page.
Chris Backas wrote:
> Hello all,
> I've been having an interesting problem with dynamic session timeouts
> and the SecurePage skeleton provided by the examples. I've got a
> servlet hierarchy based on the SecurePage example to handle
> authentication. It generally works fine, but when the user leaves the
> session idle a long time, things can get weird. If the session gets
> flushed to disk, and then times out completely - and then the user
> sends another request, the session is restored from disk and the
> request is fullfilled. Then the NEXT request will be denied saying
> that their session has timed out.
> Any ideas on where I should look, or what the source of this might be?
> Thanks in advance,
> Chris Backas
> This SF.NET email is sponsored by: FREE SSL Guide from Thawte
> are you planning your Web Server Security? Click here to get a FREE
> Thawte SSL guide and find the answers to all your SSL security issues.
> Webware-discuss mailing list