• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Jeanne Boyarsky
  • Devaka Cooray
  • Paul Clapham
Sheriffs:
  • Tim Cooke
  • Knute Snortum
  • Bear Bibeault
Saloon Keepers:
  • Ron McLeod
  • Tim Moores
  • Stephan van Hulst
  • Piet Souris
  • Ganesh Patekar
Bartenders:
  • Frits Walraven
  • Carey Brown
  • Tim Holloway

session timeout

 
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I know we can set session timeout in web.xml.  But it seems when you click on the app after session times out, it doesn't automatically take you back to the login page.  Is it normal ?  What's the expected behave when you click on the app after the time has exceeded the max timeout you set in web.xml ?
 
Master Rancher
Posts: 451
6
IntelliJ IDE Spring Fedora
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
For this site it seems like when your session is over it doesn't send you anywhere. If you want to do something that requires you to be logged then you have to login of course.
 
Bartender
Posts: 20828
125
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you are using J2EE standard security, you define which URL patterns you want secured in the security section of web.xml. Unless you attempt to submit one of those protected URLs, the security system will not care - it will happily allow the unsecured URL to be processed.

On the other hand, if you are NOT logged in - whether because you were not previously logged in OR because your session timed out, THEN the server will intercept the request, put it on hold and present the login page or dialog. Only after you have logged in will it then pull the original request off hold and proceed to process it as though you hadn't been briefly distracted.

This mechanism means 2 things: 1) that protected URLs are always protected and you can't hack around them by doing bypasses or playing with timeouts. 2) Since J2EE has no concept of a master entry point, you can bookmark secured pages and jump straight to them (allowing for the login process). Less flexible systems don't allow bookmarking, so users have to slog through stuff that they may not want to endure before they can get to their favorite pages.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!