-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Konstantin,
On 7/14/2011 10:40 AM, Konstantin Kolinko wrote: > 2011/7/14 Christopher Schultz <ch...@christopherschultz.net>: >> >> Konstantin, >> >> On 7/13/2011 8:54 PM, Konstantin Kolinko wrote: >>> AFAIK, 1) Tomcat won't send Set-Cookie when session id is >>> already known (either from this webapp or from webapp on its >>> parent path such as ROOT). >> >> That would sound like a bug. If the session cookie's expiration >> date is not "-1", then it needs to be updated with every response, >> no? > > I cannot say without reading the letter of the spec. +1 I'll take a look. - From reading the docs for <max-age> in web.xml's Schema, it looks like the max-age is essentially a client-enforced session timeout... this allows (as the OP wants) sessions on the client to survive client restarts. > 1) Updating it with every response sounds lame. I'm not sure there's any other way to do it (if my interpretation of the above is correct). A cookie has an expiration date, and that expiration date needs to be nudged further into the future every time the session is accessed. > 2) max-age value should be consistent between all web applications > that might share the session cookie. Otherwise there will be > inconsistencies and breakages. The spec doesn't cover SSO, so I think it's likely that this case isn't covered there. > 3) I think that there might be use case when max age is greater than > zero, but app owner does not want to send it with each response. In these case, max-age is always greater than zero. Under what cases would an app owner have max-age > 0 but also not want to sent with every response? > Is SSO cookie updated with each response? Dunno. Probably max-age=-1 for those. I'll check. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4fAs8ACgkQ9CaO5/Lv0PBVUgCgi11MP6d5FK/5g55V2paQ1sIu H8oAoLwKs4f+ApX0O6y72hn+Un19Pd2i =etqa -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
