DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25792>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25792 Session timeout implemented incorrectly Summary: Session timeout implemented incorrectly Product: Tomcat 5 Version: 5.0.16 Platform: PC OS/Version: Windows NT/2K Status: NEW Severity: Major Priority: Other Component: Catalina AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Sessions expire even if they are accessed within the specified timeout interval. In our application it breaks application logic. I think that bug report #20083 refers to this problem and offers a fix. To reproduce: Use the two files SessionTimeoutBug.java and web.xml to create and deploy the bug-reproduction webapp, than direct browser to http://yourserver:8080/bug/SessionBugDemo, hit the URL on the page and wait for timeouts. The "interval" context parameter in web.xml defines an activity interval in seconds and is set to 120 (every 120 seconds the browser sends a "get" request to the server). The "session-timeout" config parameter is set to 3 minutes. Setting "interval" to 60 or lower shows a situation where the bug has no effect. Actual result: The first refresh behaves correctly (as the 120-second interval falls within the 3 minutes timeout period) and the resulting history page shows that the session is alive. The second refresh causes start of a new session, and the webapp start-page is displayed instead of the session history page. When "interval" is set to 60, however, the history page is displayed repeatedly, meaning that in this case the session never times out. Expected result: that the session would never time out for any "interval" which is lower or equal to "session-timeout" (in this example - any interval up to 180 seconds). The history page should continue to be displayed and evolve, and the start-page should not be displayed after the demo app has begun. I used the downloaded binaries of 5.0.16. ---------------------------- SessionTimeoutBug.java ---------------------- import java.io.*; import javax.servlet.*; import javax.servlet.http.*; import java.util.*; public class SessionTimeoutBug extends HttpServlet { private int interval = 0; public void init (ServletConfig config) throws ServletException { ServletContext context = config.getServletContext (); String str = context.getInitParameter ("interval"); try { if (str != null) { interval = Integer.parseInt (str); } if (interval < 0) { interval = 0; } } catch (NumberFormatException e) { interval = 0; // no refresh } } public void doGet (HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { HttpSession session = request.getSession (true); String history = (String) session.getAttribute ("history"); String url = response.encodeURL (request.getRequestURI ()); if (history == null) { genFirstPage (response, session, url); } else { genPage (response, session, url); } } private void genFirstPage (HttpServletResponse response, HttpSession session, String url) throws IOException, ServletException { session.setAttribute ("history", ""); PrintWriter out = response.getWriter (); out.println ("<html>"); out.println ("<head>"); out.println ("<title>Session Timeout Bug Demonstration</title>"); out.println ("</head>"); out.println ("<body>"); out.println ("To start demo click <a href=\"" + url + "\">here</a>."); out.println ("</body>"); out.println ("</html>"); out.close (); } private void genPage (HttpServletResponse response, HttpSession session, String url) throws IOException, ServletException { String history = (String) session.getAttribute ("history"); history = history + "<BR>Time = " + (new Date ()); session.setAttribute ("history", history); PrintWriter out = response.getWriter (); out.println ("<html>"); out.println ("<head>"); out.println ("<title>Session Timeout Bug Demonstration</title>"); out.println ("<meta http-equiv=\"refresh\" content=\"" + interval + ";" + url + "\">"); out.println ("</head>"); out.println ("<body>"); out.println ("<B>Refresh history: </B>" + history); out.println ("<br>"); out.println ("<br><b>Session timeout is: </b>" + session.getMaxInactiveInterval() + " seconds."); out.println ("<br><b>Next refresh in: </b>" + interval + " seconds."); out.println ("</body>"); out.println ("</html>"); out.close (); } } ---------------------------- web.xml ---------------------- <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd";> <web-app> <!-- General Description of the web application --> <display-name> Session Timeout Bug Demonstration Web Application </display-name> <description> Session Timeout Bug Demonstration Web Application </description> <!-- Context Parameters --> <context-param> <param-name>interval</param-name> <param-value>120</param-value> </context-param> <!-- Servlet Definitions --> <servlet> <servlet-name>SessionTimeoutBugDemonstration</servlet-name> <servlet-class>SessionTimeoutBug</servlet-class> </servlet> <!-- Servlet Mapping --> <servlet-mapping> <servlet-name>SessionTimeoutBugDemonstration</servlet-name> <url-pattern>/SessionBugDemo</url-pattern> </servlet-mapping> <!-- Session Timeout Definition --> <session-config> <session-timeout>3</session-timeout> </session-config> </web-app> ------------------------------------ END ------------------------------------ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
