From: Stuart D. <st...@as...> - 2003-02-15 16:34:11
|
That is rather interesting. The SecureCountVisits page does not check for isSessionExpired() as does the CountVisits page. It appears that when a session expires, the strategy is to call Application.handleInvalidSession() which basically removes the _SID_ reference so the browser will stop requesting an invalid session, and marks request._sessionExpired. It does not however, delete the session object. The sesion object remains attatched to the transaction for the remainder of the transaction processing by the servlet. It is up to the servlet to check the request.isSessionExpired() and take appropriate action of notifying the user that their session has expired at this point. The SecureCountVisits page does not check for the isSessionExpired() and therefore uses the session even when it is expired. However since handleInvalidSession() has already run, the cookie identifying the session has been removed (or will be removed when the response is flushed.) Therefore on the next invocation of the page there is no cookie identifying a session so you are prompted with the login page. Probably what should happen, is that the SecureCountVisits example should be updated to include a check for isSessionExpired() and then display an expired sesion page. -Stuart- Chris Backas wrote: > Hello all, > I've been having an interesting problem with dynamic session timeouts > and the SecurePage skeleton provided by the examples. I've got a > servlet hierarchy based on the SecurePage example to handle > authentication. It generally works fine, but when the user leaves the > session idle a long time, things can get weird. If the session gets > flushed to disk, and then times out completely - and then the user > sends another request, the session is restored from disk and the > request is fullfilled. Then the NEXT request will be denied saying > that their session has timed out. > Any ideas on where I should look, or what the source of this might be? > Thanks in advance, > Chris Backas > > > ------------------------------------------------------- > This SF.NET email is sponsored by: FREE SSL Guide from Thawte > are you planning your Web Server Security? Click here to get a FREE > Thawte SSL guide and find the answers to all your SSL security issues. > http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en > _______________________________________________ > Webware-discuss mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/webware-discuss > > |