Brian Blount wrote:
I need to be able to distinguish between a session
timeout vs the first time someone accesses my web
application. Within a single web application, I've
been able to use the following logic:
(request.isRequestedSessionIdValid() == false &&
(request.isRequestedSessionIdFromCookie() ||
request.isRequestedSessionIdFromURL()))
This assumes that any request containing an invalid
session id refers to a timed-out session (although it
could be something else...)
(this trick is new to me, and looks like being more
use to me than it is to you - thanks! :-)
However, I am running multiple web applications with
single-sign-on enabled between them, so when I first
navigate from one web application to the next, the
above expression evaluates to true even though my
session has not timed out.
presumably because the unrecognised session id actually
refers to a (possibly valid) session in another web app?
Is there a better way of detecting session timeouts in
tomcat?
each web app could maintain a Set of issued session ids
to enable it to distinguish expired ones from alien ones
(at least until the app was restarted)
or your bunch of apps could share their collections of
issued session ids via a database
I guess this isn't Tomcat-specific: the (next?) API could
do a little more to help you in these circumstances?
Paul Singleton
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.12.4/142 - Release Date: 18/Oct/2005
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
