Session Expiration?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Session Expiration?

tkofford
I'm using jsecurity RC2, and I keep seeing the session for my webapp
expire after 30 minutes. Even though I do reads and writes to the
session, it unconditionally expires after 30 minutes.

Is this by design, or should session access (read or write) delay
session expiration for another 30 minutes?

Thanks,

Todd Kofford
[hidden email]
University of Kansas - IT
Reply | Threaded
Open this post in threaded view
|

Re: Session Expiration?

Les Hazlewood
Administrator
Hi Todd,

Sorry about the late reply - I've been out of town until yesterday.

The session expiration time is calculated based on the session's last
access timestamp.  This timestamp is updated during almost all
operations to a session, so it should be calculated correctly.  Are
you still seeing this?

The sample applications I've tested (after building JSecurity) work as
expected - I can click a link every 15 minutes or so over an hour, and
my session isn't timing out.  I'm confused as to how this is happening
for you.  Do you have any other information?

Cheers,

Les

On Thu, Oct 30, 2008 at 12:16 PM, Kofford, C Todd <[hidden email]> wrote:

> I'm using jsecurity RC2, and I keep seeing the session for my webapp
> expire after 30 minutes. Even though I do reads and writes to the
> session, it unconditionally expires after 30 minutes.
>
> Is this by design, or should session access (read or write) delay
> session expiration for another 30 minutes?
>
> Thanks,
>
> Todd Kofford
> [hidden email]
> University of Kansas - IT
>
Reply | Threaded
Open this post in threaded view
|

Re: Session Expiration?

Alan Cabrera
Could the sample app that you're using use the WebSession and the one  
that Todd is testing use the SimpleSession?


Regards,
Alan
On Nov 11, 2008, at 11:50 AM, Les Hazlewood wrote:

> Hi Todd,
>
> Sorry about the late reply - I've been out of town until yesterday.
>
> The session expiration time is calculated based on the session's last
> access timestamp.  This timestamp is updated during almost all
> operations to a session, so it should be calculated correctly.  Are
> you still seeing this?
>
> The sample applications I've tested (after building JSecurity) work as
> expected - I can click a link every 15 minutes or so over an hour, and
> my session isn't timing out.  I'm confused as to how this is happening
> for you.  Do you have any other information?
>
> Cheers,
>
> Les
>
> On Thu, Oct 30, 2008 at 12:16 PM, Kofford, C Todd <[hidden email]>  
> wrote:
>> I'm using jsecurity RC2, and I keep seeing the session for my webapp
>> expire after 30 minutes. Even though I do reads and writes to the
>> session, it unconditionally expires after 30 minutes.
>>
>> Is this by design, or should session access (read or write) delay
>> session expiration for another 30 minutes?
>>
>> Thanks,
>>
>> Todd Kofford
>> [hidden email]
>> University of Kansas - IT
>>
>

Reply | Threaded
Open this post in threaded view
|

RE: Session Expiration?

tkofford
For my webapp, I am using JSECURITY_SESSION_MODE and I'm guessing that
jsecurity implements this using the SimpleSession class. In tracing
through the source code when reading/writing session attributes from my
webapp, the calls always ends up at the SimpleSession class. In the
SimpleSession class, the last access timestamp was not being updated
during reads or writes to the session. I provided a patch for this which
remedied the problem, at least in my case.

Hopefully, that was the problem, but someone a lot more familiar with
the jsecurity architecture (Les) might want to analyze this problem and
the patch that I provided.

I'd be happy to provide any additional information if needed.

Thanks,

Todd Kofford
[hidden email]

 

-----Original Message-----
From: Alan D. Cabrera [mailto:[hidden email]]
Sent: Tuesday, November 11, 2008 3:24 PM
To: [hidden email]
Subject: Re: Session Expiration?

Could the sample app that you're using use the WebSession and the one  
that Todd is testing use the SimpleSession?


Regards,
Alan
On Nov 11, 2008, at 11:50 AM, Les Hazlewood wrote:

> Hi Todd,
>
> Sorry about the late reply - I've been out of town until yesterday.
>
> The session expiration time is calculated based on the session's last
> access timestamp.  This timestamp is updated during almost all
> operations to a session, so it should be calculated correctly.  Are
> you still seeing this?
>
> The sample applications I've tested (after building JSecurity) work as
> expected - I can click a link every 15 minutes or so over an hour, and
> my session isn't timing out.  I'm confused as to how this is happening
> for you.  Do you have any other information?
>
> Cheers,
>
> Les
>
> On Thu, Oct 30, 2008 at 12:16 PM, Kofford, C Todd <[hidden email]>  
> wrote:
>> I'm using jsecurity RC2, and I keep seeing the session for my webapp
>> expire after 30 minutes. Even though I do reads and writes to the
>> session, it unconditionally expires after 30 minutes.
>>
>> Is this by design, or should session access (read or write) delay
>> session expiration for another 30 minutes?
>>
>> Thanks,
>>
>> Todd Kofford
>> [hidden email]
>> University of Kansas - IT
>>
>

Reply | Threaded
Open this post in threaded view
|

Re: Session Expiration?

Les Hazlewood
Administrator
Thanks for the patch Todd!  This has been resolved :)

Cheers,

Les

On Wed, Nov 12, 2008 at 9:27 AM, Kofford, C Todd <[hidden email]> wrote:

> For my webapp, I am using JSECURITY_SESSION_MODE and I'm guessing that
> jsecurity implements this using the SimpleSession class. In tracing
> through the source code when reading/writing session attributes from my
> webapp, the calls always ends up at the SimpleSession class. In the
> SimpleSession class, the last access timestamp was not being updated
> during reads or writes to the session. I provided a patch for this which
> remedied the problem, at least in my case.
>
> Hopefully, that was the problem, but someone a lot more familiar with
> the jsecurity architecture (Les) might want to analyze this problem and
> the patch that I provided.
>
> I'd be happy to provide any additional information if needed.
>
> Thanks,
>
> Todd Kofford
> [hidden email]
>
>
>
> -----Original Message-----
> From: Alan D. Cabrera [mailto:[hidden email]]
> Sent: Tuesday, November 11, 2008 3:24 PM
> To: [hidden email]
> Subject: Re: Session Expiration?
>
> Could the sample app that you're using use the WebSession and the one
> that Todd is testing use the SimpleSession?
>
>
> Regards,
> Alan
> On Nov 11, 2008, at 11:50 AM, Les Hazlewood wrote:
>
>> Hi Todd,
>>
>> Sorry about the late reply - I've been out of town until yesterday.
>>
>> The session expiration time is calculated based on the session's last
>> access timestamp.  This timestamp is updated during almost all
>> operations to a session, so it should be calculated correctly.  Are
>> you still seeing this?
>>
>> The sample applications I've tested (after building JSecurity) work as
>> expected - I can click a link every 15 minutes or so over an hour, and
>> my session isn't timing out.  I'm confused as to how this is happening
>> for you.  Do you have any other information?
>>
>> Cheers,
>>
>> Les
>>
>> On Thu, Oct 30, 2008 at 12:16 PM, Kofford, C Todd <[hidden email]>
>> wrote:
>>> I'm using jsecurity RC2, and I keep seeing the session for my webapp
>>> expire after 30 minutes. Even though I do reads and writes to the
>>> session, it unconditionally expires after 30 minutes.
>>>
>>> Is this by design, or should session access (read or write) delay
>>> session expiration for another 30 minutes?
>>>
>>> Thanks,
>>>
>>> Todd Kofford
>>> [hidden email]
>>> University of Kansas - IT
>>>
>>
>
>