I would like to test my webapplication (JSF 2.2) which has a custom Esxception Handler Factory.
Now i would like to know if everything works as expected when a javax.faces.application.ViewExpiredException is thrown. Is there any way, I can decrease the time to wait for getting this exception?
Throwing it programmatically is not an option, as I would like to have a nearly 100% productive test scenario.
As far as I'm concerned, it should be enough to force a Session expiration while you keep the JSF view state in the server side:
Setting STATE_SAVING_METHOD to client has however an additional functional advantage: it prevents ViewExpiredExceptions when the session has expired or when the client opens too many views.
So, being the javax.faces.STATE_SAVING_METHOD defaulted to server, you only need to specify the timeout you want for the Http Session:
<session-config>
<session-timeout>2</session-timeout>
</session-config>
As an alternative, you could choose to set your own limit of views. That depends on the concrete JSF implementation, Mojarra defaults to 16 and MyFaces to 20. For the first one, you could use com.sun.faces.numberOfLogicalViews to decrease the amount of views accepted simultaneously per client. As an example, setting it to 3 should fire the exception when you've got four tabs opened in the same browser (same Http Session).
See also:
What is STATE_SAVING_METHOD parameter in JSF 2.0
Session TimeOut in web.xml
How can I set the view timeout?
In Google Chrome you can use the Developer Tools to delete the session cookie.
Web.xml
you should have something like:
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
Where the timeout is in minutes, so set to 1
Related
I am making a web application based on Spring 3 and Apache Wicket. When the user of the application click on element, after the timeout of the session, the application crash because the HTML file doesn't find the Java component. How can I prevent this?
By default Wicket will create a new instance of the page if the old one is gone for any reason: https://github.com/apache/wicket/blob/38bee6e932e63fa033c2139cdfb2f82eba55fadc/wicket-core/src/main/java/org/apache/wicket/settings/PageSettings.java#L46
Maybe this setting is false for you ?!
Behind you spring/wicket app you have a Java Servlet Web application. Set the timeout=0 and sessions won't expire.
Include this block in the web.xml. You can also do it programatically.
<web-app ...>
<session-config>
<session-timeout>0</session-timeout>
</session-config>
</web-app>
I believe you are looking for ExpiredErrorPage Configure below in yourApplication init() method
Whenever session expired it will redirect to loginpage . It will not show like crashed .so that you can login again and do your stuff.
getApplicationSettings().setPageExpiredErrorPage(LoginPage.class);
Environment :
Liferay 6.2 with Jboss
We are trying to implement httponly and secure.
For this we have dome some changes like below
Added in Portal-ext.properties :
cookie.http.only.names.excludes=
and
Added following properties in ROOT.war/WEB-INF/web.xml
<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
I can see all the session cookies are httponly except the one which are starting with LFR_SESSION_STATE_
Can anyone suggest how we can handle this.
LFR_SESSION_STATE_ are cookies that explicitly get handled on client-side and not on server side - thus they're inherently only accessed through JS. As far as I know they're never even persisted on server side. And I don't expect any real leakage from these cookies. In my perception the cookies are about determining state of the quality "should this help item be shown with full text or just collapsed".
Is there a way in Spring Security to set sessions to expire after a time, regardless of activity?
i.e. when someone logs in, they have exactly 30 minutes to work and then the session is dead, regardless of whether they have been navigating, making REST calls, etc.
I don't think so. But you can use Quartz scheduler for job scheduling and execute a job when you need, for example 30 minutes after the user logged in.
Adding the below lines in your web.xml should work out ideally.
<session-config>
<session-timeout>30</session-timeout>
</session-config>
I understand that the session timeout is for finding out an idle app and ending that particular session.
I have commented the session-timeout tag in the web.xml. Also I have not set any session timeout in my application anywhere else like maxInactiveInterval().
But my session is expiring nearly after 2 or 3 hours. Is there any automatic session timeout in Tomcat?
I have observed the above phenomenon in both Tomcat 5 & 7. Please help... I don't want a timeout happening for some purpose here.
If you don't want a timeout happening for some purpose:
<session-config>
<session-timeout>0</session-timeout>
</session-config>
should result in no timeout at all -> infinite
yes.In tomcat web.xml file see this code:
<session-config>
<session-timeout>30</session-timeout>
</session-config>
By default it set to 30 minutes. if you dont want session expiry simply put as 0 instead of 30.
session statics in tomcat.
I need to change the session time for my web Application.
The web application is created using Struts 2.0 and is deployed on Tomcat Web Server.
I tried it by changing the timeout in web.xml of server like below.
<session-config>
<session-timeout>1</session-timeout>
</session-config>
And also i tried it by puting above code in web.xml of Web Application.
But both of above solutions did not work.
Still, Web Applicaiton session is maintained for 30 minutes. Please suggest how can i change the session timout value.
Thanks
Jyoti
It should work. Put it in webapps/yourapp/WEB-INF/web.xml. Remove it from the server's web.xml. And make sure everything is freshly redeployed.
Also make sure you are not interacting with the session (including ajax) for that amount of time.