This week's book giveaway is in the Other Languages forum.
We're giving away four copies of Functional Reactive Programming and have Stephen Blackheath and Anthony Jones on-line!
See this thread for details.
Win a copy of Functional Reactive Programming this week in the Other Languages forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

HttpSession expiration

 
JeanLouis Marechaux
Ranch Hand
Posts: 906
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi folks.
Could you just help me on this.
When the HTTPsession expired and you are using form based login, are you supposed to be re-challenged the next time you try to access the application ?
My understanding is that you should have to log i again, but my AppServer provider argue it is not part of the spec

I can't find anything really clear about that in servlet 2.2 spec.
[ October 04, 2002: Message edited by: Bill Bailey ]
 
William Brogden
Author and all-around good cowpoke
Rancher
Posts: 13074
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You are correct - if the previous session has expired the next access should be just like the initial login. If the session is expired the system should have nothing hanging around from the previous login.
Bill
 
JeanLouis Marechaux
Ranch Hand
Posts: 906
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by William Brogden:
You are correct - if the previous session has expired the next access should be just like the initial login. If the session is expired the system should have nothing hanging around from the previous login.
Bill

William, do you have any idea where I could find these information in a Sun Spec. Actually, I know it has been added as a note in servlet 2.3 spec (12.5.3.1), but my provider only implement the 2.2 spec.
So they argue even if the the credentials are still valid after httpSession expiration, their product works just fine... and I fully disagree with that...
 
William Brogden
Author and all-around good cowpoke
Rancher
Posts: 13074
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I fear we may be talking about two different things here. Perhaps the provider is talking about "credentials" that are entirely separate from Java and the servlet engine.
Bill
 
JeanLouis Marechaux
Ranch Hand
Posts: 906
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by William Brogden:
Perhaps the provider is talking about "credentials" that are entirely separate from Java and the servlet engine.
Bill

Please explain that... I don't understand how credential are separate from the servlet engien .
According to the spec, "Credentials that are acquired through a web login process are associated with the session."
So my understanding is that when the session expires, then the credential have to be acquired again
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic