Re: Session cookie max age

Wed, 13 Jul 2011 14:43:07 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Josh,

On 7/13/2011 5:15 PM, Josh Simmons wrote:
> I was afraid I wasn't being specific enough - sorry.
> 
> <session-config> <session-timeout>180</session-timeout> 
> <cookie-config> <max-age> 10800 </max-age> </cookie-config> 
> </session-config>

Can you post your entire web.xml? You can remove all the servlet,
listener, and security constraint stuff.

> We do not want to use the default cookie max age of -1 for our 
> session cookie. We would like for our session to persist across 
> browser restart (I know this might be frowned upon but it’s a 
> stepping stone towards the correct solution) - so in order to do so 
> we set the max age of our session cookie to 3hours , the same as our
>  timeout.

Gotcha.

> While the jsessionid might not be changing for every request, the 
> timeout is changing with every request.

Okay, now I get it. You expect Tomcat to set the cookie's max age to be
NOW + 180 minutes. That's what I'd expect, too.

> As I stated previously, we can fix this by just configuring our max 
> age to be 24 hours, because ideally no one is going to perfectly
> keep their session alive on the server for that length of time.
> 
> Hopefully this makes more sense now of what I'm after.

It does. Assuming that you don't have a misconfiguration and that this
is a Tomcat bug, you ought to be able to get around the problem using a
Filter that looks something like this:

public class SessionCookieMaxAgeFilter
  implements Filter
{
  public void doFilter(ServletRequest request,
                       ServletResponse response,
                       FilterChain chain)
  {
    if(request instanceof HttpServletRequest)
    {
      Cookie cookie = getCookie((HttpServletRequest)request));

      if(null != cookie)
      {
        // force the cookie back on the client
        cookie.setMaxAge(180);

        ((HttpServletResponse)response).addCookie(cookie);
      }
    }
  }

  private Cookie getCookie(HttpServletRequest request)
  {
    Cookie[] cookies = request.getCookies();

    if(null != cookies)
    {
      for(int i=0; i<cookies.length; ++i)
      {
        if("JSESSIONID".equals(cookies[i].getName()))
        {
          return cookie;
        }
      }
    }

    return null;
  }
}

Post your configuration and I'll take a look at the code (which may take
some time :)

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk4eEUgACgkQ9CaO5/Lv0PAH5gCfTJijKQNqLv3F/TPQVT9CCMCL
RiMAn2b/CDEJj+vPQrRFj5FozSATkst/
=i8JZ
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to