If ajax requests need session state, then IMO Tomcat can not help you with that - it can not and should not differentiate requests issued by ajax and requests issued by user. In that case one solution would be to logout user with a logout request after timeout. Where ajax requests live, javascript is enabled, so on page load you can just https://developer.mozilla.org/en/DOM/window.setTimeout to logout request, where client side timeout duration could/should be same as server side session timeout.
Regards, Stevo. On Sun, Mar 20, 2011 at 3:40 PM, André Warnier <a...@ice-sa.com> wrote: > sebb wrote: >> >> On 20 March 2011 11:19, André Warnier <a...@ice-sa.com> wrote: >>> >>> sol myr wrote: >>>> >>>> Hi, >>>> >>>> We have a Servelts/JSP application Tomcat6. >>>> Our javascripts issues automatic, periodic polling requests (Ajax and >>>> Comet), in order to keep the view up-to-date. >>>> Unfortunately this prevents sessions from timing out... >>>> >>>> Is there a way to tell Tomcat that some URL shouldn't affect session >>>> timeouts? >>>> Namely if for the last 30 minutes, the browser requested nothing but >>>> "http://server/autoRefresh.do"; , then Tomcat should assume the user went >>>> away from the computer, and kill the session. >>>> >>> You may have to explain the logic of this a bit better, because on the >>> face >>> of it, it makes no sense. >>> Presumably, if you create a session, it is because the application needs >>> a >>> session (aka, needs some information to be preserved between individual >>> requests of the same user/browser). >>> Then why would you want it to time out ? >> >> This is the sort of behaviour one wants for online banking - the >> session should be logged out if the user does not do anything for a >> while, even though the page may be doing background requests. >> > > Allright then, I'll buy that, if somewhat reluctantly. > > The creation or retrieval of a session, as far as I understand it, is > totally under application control. > In other words, if your servlet (or JSP), when it is called, executes a > HttpServletRequest.getSession() call, then it will retrieve the existing > session (or create one if none exists yet); and if it does not call > getSession(), it will not. > > In other words, if you want some requests URLs "not to count" (or "be > excluded") as far as the session mechanism is concerned, then you just have > to map these requests (URLs) to a servlet/JSP page which does not do a > getSession(). > > Of course, if in order to refresh the information in the browser page, the > application needs to access information stored in the session, then you have > a problem. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
