|
Mantis - Resin
|
|||||
| Viewing Issue Advanced Details | |||||
|
|
|||||
| ID: | Category: | Severity: | Reproducibility: | Date Submitted: | Last Update: |
| 222 | minor | always | 05-27-05 00:00 | 11-30-05 14:43 | |
|
|
|||||
| Reporter: | sam | Platform: | |||
| Assigned To: | OS: | ||||
| Priority: | urgent | OS Version: | |||
| Status: | closed | Product Version: | |||
| Product Build: | Resolution: | fixed | |||
| Projection: | none | ||||
| ETA: | none | Fixed in Version: | 3.0.14 | ||
|
|
|||||
| Summary: | 0000222: session timeout issue | ||||
| Description: |
RSN-245 (rep by B Davis) I tested the latest resin snapshot (050525) and sessions are still not timing out correctly. This is the same issue we reported on March 18, 2005, and is related to the issue we reported as a critical issue on Feb 2, 2005. The behavior has changed somewhat from previous reports in that sessionDestroyed on our session tracking listener after the session timeout specified in the web.xml, however the end result is still the same. Additionally using a debugger, I find that the session timeout in the HttpSession object is set to 60000 milliseconds, which is correct, however the value is clearly being ignored in favor of the default timeout settings of the backing store. Calling session.setMaxInactiveInterval also has no effect. The changes you introduced in this revision are actually worse in that it breaks our only possible workaround of calling session.invalidate() to insure that the session is removed once sessionDestroyed fires. The relevant portion of our web.xml is : <session-config> <!-- <tcp-store/> --> <!-- <file-store>WEB-INF/sessions</file-store> --> <!-- <always-load-session/> --> <!-- <always-save-session/> --> <session-timeout>1</session-timeout> <ignore-serialization-errors>false</ignore-serialization-errors> </session-config> The relevant section of resin.conf is <persistent-store type="jdbc"> <init> <data-source>jdbc/mysql</data-source> </init> </persistent-store> SRV.7.5 Session Timeouts In the HTTP protocol, there is no explicit termination signal when a client is no longer active. This means that the only mechanism that can be used to indicate when a client is no longer active is a timeout period. The default timeout period for sessions is defined by the servlet container and can be obtained via the getMaxInactiveInterval method of the HttpSession interface. This timeout can be changed by the Developer using the setMaxInactiveInterval method of the HttpSession interface. The timeout periods used by these methods are defined in seconds. By definition, if the timeout period for a session is set to -1, the session will never expire. The session invalidation will not take effect until all servlets using that session have exited the service method. Once the session invalidation is initiated, a new request must not be able to see that session. |
||||
| Steps To Reproduce: | |||||
| Additional Information: | Resin snap 050525 | ||||
| Relationships | |||||
| Attached Files: | |||||
| Notes | |||||
|
|
|||||
|
|
||||