Re: Forced session expiry after certain period

Tue, 25 Jun 2019 11:15:27 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

M,

On 6/24/19 18:07, M. Manna wrote:
> Hello,
> 
> Is it possible to evict all sessions after certain period of time ?
> This is not the same as idle session-timeout (web.xml).
> 
> We are trying to research into whether there’s an absolute maximum
> limit for a session in tomcat. After which _any_ session should be
> expired.
> 
> We are currently using default session manager.

There is nothing that Tomcat provides that will enforce a maximum
session lifetime; only maximum "inactive" timeout is provided, as per
the servlet spec.

Building such a "maximum session lifetime" is not difficult and can be
done with a custom servlet Filter (which you will have to write).
Something like this:

- - check that the session exists
  - if not, continue normally
  - if so, check whether the session contains an expiration
    - if not, compute the expiration of the session and put it into
the session
    - if so, compare the expiration date to now
      - if expired, invalidate the session and send the user ... ??

Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl0SZHwACgkQHPApP6U8
pFi8lQ/7BXkpERYykcKmA4LR5dGeLKodwW/ZrrdGi+ftb2OI0Amz8SfZ/704fUKy
i9eZ1lm88l/lnKGgu4AOXHP8mG/qZ34NtrMEAkgo0EwyNWddsm+iAecTsqDenIEf
I0s7Ksbuwj8/i/Yq36cTl+hI3FK5/Lpd1J9F9lQYTZRiK6MsAac490WAgDAg27Oo
rH9xtm7e5tGkAvjsYE25FnDTVVDa3zTN7Q9HG2SOahhE75wS9yRv+q6MCr63xnRG
6jHbbVMdfSSK0HESykczZggBH2fRrmGAJ2mCVIPYeOoXg7a2aAukAbt6WCQ0SYZf
tTpOkAU7+axRq3tOTXubItyD9C734o58MsW+2ILKM1O+GEfQKgak20vdbk6z4uGA
LHsBCowCUU2813JD97Glcul3z4uILq3oHTK6GfJPdxq+hN8tuO61ZtWaKJ1T2T7/
6WvO7qNHSRueNMWfm/ALkIdlHk2KyyS/0YLd0ejJvTYZYHPi4KBMfysPBXa52IRr
ewwoS8kPmQldRZQhaUA373uOqZf/nV2CW2FgKoAmB2KeOTOmcBxTevTCdRlKqa4I
T9wvEQ7r9+O0a/0ox2Llev0Y0BR+ru929CMR8jc9RfEOHLj6sKZywDqJkydB25UU
DCzr/R5s6Hv1RiwWfZCmr1H/MTCRjH3xVZIUYrjls+Kvn9yvBBc=
=O/HF
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to