I'm doing my first Java EE web application and I'm struggling with sessions.
in my web.xml file I put the following settings:
<session-config>
<session-timeout>30</session-timeout>
</session-config>
But if I close my browser which is not configured to delete cookies on close,
after reopen the session is over.
How can I have a "persistent" session ?
check if a cookie named Jsessionid is getting created during your first request. And close your browser open it again and check if that cookie is still there and value is same.
I think it will not be, and that is the reason your session expires.
When a cookie's expiration is set to "session", it will get deleted by the browser when the user closes the browser. This has nothinng to do with the web.xml session-timeout setting, which will force-close the Java EE session server-side if there are no requests by the user in the designated timespan.
Spring has "remember me" functionality:
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/remember-me.html
Related
I have a J2EE application which uses JSF and Spring 3.x. My web app is developed in *.xhtml, and I have used JSF ManagedBeans.
I want to redirect to login page when the session has elapsed the timeoout. I am bit new and need to know the following.
How to set the session timeout time(Basically I want to set a maximum time where the application would be idle and redirect to the login page with an invalid session)
What is the meta tag which I need to place in my *.xhtml which will direct to the login page?
Hope the requirement is clear. Just stating the requirements of my problem again
System should not invalid the session as far as the user is interacting with the system.
It Should only invalid the session and redirect to the login page when the system has been idle for a given time.
Tech Stack
JSF with ManagedBeans(Have used face-config.xml etc..)
Spring for the service layer
Hibernate for the DAO layer and in defining the entities.
If by "idle" you mean not sending any request to the server then you have to set the session-timeout in your web.xml file. It should look like this for a 30 minutes timeout :
<session-config>
<session-timeout>30</session-timeout>
</session-config>
To handle the redirection to login when the session timeout have a look at this answer.
I was trying to scan a Webapp hosted in Tomcat and faced some difficulty and later realized even within the same session for an user tomcat changes JSESSIONID (monitored using Fiddler). I could not find any configuration in server.xml as such. Any info on this would be helpful
I would assume Tomcat would do this to defend Session Fixation
I believe default session timeout for Servlet, is 30 minutes.
Can be altered with <session-timeout> in web.xml.
I'm developing an Java App Engine project with multiple modules. I have enabled the sessions in the appengine-web.xml for the default module:
<sessions-enabled>true</sessions-enabled>
When i open the default module in the browser; a session is created:
Upon closing the browser. The session is gone. When inspecting the cookies in the browser I only see 1 cookie for the domain:
JSESSIONION-c73210e91f2dc1e586e87edd793da6dc
with an expiration set to the end of the session. In the datastore there are entities created of the kind _ah_SESSION (I also see them in the memcache). So App Engine has enabled the sessions but is not giving me a persisting cookie with a default expiration of +30 minutes.
Is there something I am overseeing here ?
Update:
I have set the session timeout parameter in the web.xml just to be sure. But still no persisting cookie:
<session-config>
<session-timeout>100</session-timeout>
</session-config>
I am confused about a couple things regarding cookies.
Why do I need to use/customize javax.servlet.http.Cookie class in order to implement a Remember me feature?
In my web.xml couldn't I just use?:
<session-config>
<session-timeout>10080</session-timeout>
</session-config>
Isn't it a security issue having cookies on a computer? Couldn't a cracker steal another user's cookie and hijack their session?
You don't - you just need to create an http session. Tomcat will either create a cookie or use a jsessionid URL parameter to maintain your session - this is part of the Java EE servlet specification. If you use a JSP then they automatically create http sessions. Various other things can cause sessions to be created also.
Yes, this is called session hijacking.
I need to change the session time for my web Application.
The web application is created using Struts 2.0 and is deployed on Tomcat Web Server.
I tried it by changing the timeout in web.xml of server like below.
<session-config>
<session-timeout>1</session-timeout>
</session-config>
And also i tried it by puting above code in web.xml of Web Application.
But both of above solutions did not work.
Still, Web Applicaiton session is maintained for 30 minutes. Please suggest how can i change the session timout value.
Thanks
Jyoti
It should work. Put it in webapps/yourapp/WEB-INF/web.xml. Remove it from the server's web.xml. And make sure everything is freshly redeployed.
Also make sure you are not interacting with the session (including ajax) for that amount of time.