Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Tomcat Session Timeout web.xml

This is my web.xml file, it is located in WEB-INF/lib. It specifies session timeout at 1 minute, however it does not time the user out after 1 minute of activity.

Web.xml:

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
    <servlet>
        <servlet-name>Login</servlet-name>
        <servlet-class>Login</servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>Login</servlet-name>
        <url-pattern>/Login</url-pattern>
    </servlet-mapping>
    <session-config>
        <session-timeout>1</session-timeout>
    </session-config>
</web-app>

I used this line session.getMaxInactiveInterval() in my jsp file and it outputted 1800 (30 minutes) . Does anyone why it defaults to 30 rather than using the time specified in my web.xml file?

EDIT:

I've code on my jsp page which checks for session attribute and if it does exist redirects the user to the login page after a minute even on page refresh the user is not redirected.

if(session.getAttribute("username") != null){
                            out.println(session.getAttribute("username"));
                        }else{
                            response.setStatus(response.SC_MOVED_TEMPORARILY);
                            response.setHeader("Location", "index.jsp");
                        }

EDIT Full Code (Login.java):

package com.labs.xmlgenerator.controller.managesession;

import java.io.IOException;
import java.sql.SQLException;
import java.util.HashMap;

import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

import com.labs.xmlgenerator.model.dbconnection.*;
/**
 * Servlet implementation class Login
 */
@WebServlet(description = "Verifies Users Credentials", urlPatterns = { "/Login" })
public class Login extends HttpServlet {
    private static final long serialVersionUID = 1L;

    private DbLoginQueries query = new DbLoginQueries();


    /**
     * @see HttpServlet#HttpServlet()
     */
    /*
    public Login() {
        super();
        // TODO Auto-generated constructor stub
    }*/

    /**
     * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
     */
    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

        try {
            validateLoginCredentials(request.getParameter("liUsr"),request.getParameter("liPwd"),request,response);
        } catch (ClassNotFoundException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        } catch (SQLException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }

    }

    private void validateLoginCredentials (String username, String password, HttpServletRequest request, HttpServletResponse response) throws IOException, ClassNotFoundException, SQLException{

        Boolean valid = true;
        int resultSize;
        HashMap<String, String> userDetails = null;
        HttpSession session = request.getSession(true);
        String location = "index.jsp";
        Cookie usernameErrorCookie;
        Cookie passwordErrorCookie;
        Cookie usernameCookie;

        if(username == null || username == ""){
            valid = false;
            usernameErrorCookie = new Cookie("liUsrErrCookie","Please enter a valid username");
            response.addCookie(usernameErrorCookie);
        }else{
            usernameCookie = new Cookie("liUsrCookie",username);
            response.addCookie(usernameCookie);
        }

        if(password == null || password == ""){
            valid = false;
            passwordErrorCookie = new Cookie("liPwdErrCookie","Please enter a valid password");
            response.addCookie(passwordErrorCookie);
        }

        if(valid == true){
            userDetails = query.loginQuery(username);
            resultSize = userDetails.size();
            if(resultSize < 4){
                valid = false;
                usernameErrorCookie = new Cookie("liUsrErrCookie","The username entered is not valid");
                response.addCookie(usernameErrorCookie);
            }
            else if(resultSize > 4){
                valid = false;
                usernameErrorCookie = new Cookie("liUsrErrCookie","The username is returning more than one result, please contact admin");
                response.addCookie(usernameErrorCookie);
            }
            else if(resultSize == 4){

                if(!userDetails.get("Password").equals(password)){
                    valid = false;
                    passwordErrorCookie = new Cookie("liPwdErrCookie","The entered password is incorrect");
                    response.addCookie(passwordErrorCookie);
                }
            }
        }


        if(valid == true){
            session.setAttribute("username", userDetails.get("Username"));
            session.setAttribute("permission", userDetails.get("AdminPermissions"));
            session.setAttribute("email", userDetails.get("Email"));
            location = "home.jsp";

        }else{
            location = "index.jsp#login";
        }

        response.setStatus(response.SC_MOVED_TEMPORARILY);
        response.setHeader("Location", location);

    }
}

home.jsp

<?xml version="1.0" encoding="ISO-8859-1" ?>
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>Home</title>
    <link rel="stylesheet" href="resources/css/Common.css" type="text/css">
    <script src="//ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js"></script>
    <script src="resources/js/Common.js"></script>
</head>
<body>
    <header>
        <div id="actionsMenu">
            <ul id="actionLinks">
                <li><a class="linkButtons" id="userNameLink">
                                     <%
                        System.out.println(session.getMaxInactiveInterval());
                        if(session.getAttribute("username") != null){
                            out.println(session.getAttribute("username"));
                        }else{
                            out.println("no user");
                            /*
                            response.setStatus(response.SC_MOVED_TEMPORARILY);
                            response.setHeader("Location", "index.jsp");*/
                        }   
                    %>
                </a></li>
                <li><a class="linkButtons" href="Logout">Log Out</a></li>
                <li><a class="linkButtons"  href="#">Update</a></li>
            </ul>
        </div>
    </header>
    <nav class="tabs">
        <section id="generateSection">
            <h2 class="selectedTab" id="generateTab">
                <a id="gene" href="#generateXML">Generate XML</a>
            </h2>
            <div class="selectedContent" id="generateNav">
                <ul id="links">
                    <li><a class="navLink" href="#graphic">Graphic Interface</a></li>
                    <li><a class="navLink" href="#xml">XML Interface</a></li>
                </ul>
            </div>
        </section>
        <section id="adminSection">
            <h2 class="normalTab" id="adminTab">
                <a href="#admin">Admin</a>
            </h2>
            <div class="normalContent" id="adminNav">
                <ul id="links">
                    <li><a class="navLink" href="#images">Manage Images</a></li>
                    <li><a class="navLink" href="#keywords">Manage Keywords</a></li>
                    <li><a class="navLink" href="#users">Manage Users</a></li>
                </ul>
            </div>
        </section>
    </nav>  
    <div id="content">
        <noscript><p id="javascriptError">This website requires JavaScript to be enabled.</p></noscript>
    </div>
    <div id="updateUserDetails"></div>
    <div id="popup">
        <input type="button" value="X" id="exitButton">
        <p class="pageTitle" style="float:left; margin:0px;">Update Details</p>
        <form id="updateForm"  action="Update" onsubmit="return updateValidation()" method="post" >
            <p id="user">Username :</p>
            <p id="userNameUpdate"><%
                if(session.getAttribute("username") != null){
                    out.println(session.getAttribute("username"));
                }%></p>
            <p class="error" id="updCurrentPwdErr">
            <% 
                        Cookie[] currentPassEror = null;
                        currentPassEror = request.getCookies();
                        if(currentPassEror != null){
                            for(int i = 0; i < currentPassEror.length; i++){
                                 Cookie cookie = currentPassEror[i];
                                 if(cookie.getName().equals("updCurrentPwdErrCookie")){
                                     out.println(cookie.getValue());
                                     cookie.setMaxAge(0);
                                     response.addCookie(cookie);
                                 }
                             }
                        }
                        %>
            </p>
            <label for="updCurrentPwdLbl">Current Password :</label>
            <br />
            <input type="password" name="updCurrentPwd" id="updCurrentPwd">
            <br />
            <p class="error" id="updNewPwdErr">
            <% 
                        Cookie[] newPassCookies = null;
                        newPassCookies = request.getCookies();
                        if(newPassCookies != null){
                            for(int i = 0; i < newPassCookies.length; i++){
                                 Cookie cookie = newPassCookies[i];
                                 if(cookie.getName().equals("updNewPwdErrCookie")){
                                     out.println(cookie.getValue());
                                     cookie.setMaxAge(0);
                                     response.addCookie(cookie);
                                 }
                             }
                        }
            %></p>
            <label for="updNewPwdLbl">New Password :</label>
            <br />
            <input type="password" id="updNewPwd" name="updNewPwd">
            <br />
            <p class="error" id="updReNewPwdErr">
            <% 
                        Cookie[] reNewPassCookies = null;
                        reNewPassCookies = request.getCookies();
                        if(reNewPassCookies != null){
                            for(int i = 0; i < reNewPassCookies.length; i++){
                                 Cookie cookie = reNewPassCookies[i];
                                 if(cookie.getName().equals("updReNewPwdErrCookie")){
                                     out.println(cookie.getValue());
                                     cookie.setMaxAge(0);
                                     response.addCookie(cookie);
                                 }
                             }
                        }
            %>          
            </p>
            <label for="updReNewPwdLbl">Re-Enter New Password :</label>
            <br />
            <input type="password" id="updReNewPwd" name="updReNewPwd">
            <br />
            <p class="error" id="updEmailErr">
            <% 
                        Cookie[] emailErrCookies = null;
            emailErrCookies = request.getCookies();
                        if(emailErrCookies != null){
                            for(int i = 0; i < emailErrCookies.length; i++){
                                 Cookie cookie = emailErrCookies[i];
                                 if(cookie.getName().equals("updEmailErrCookie")){
                                     out.println(cookie.getValue());
                                     cookie.setMaxAge(0);
                                     response.addCookie(cookie);
                                 }
                             }
                        }
            %>
            </p>
            <label for="updEmailLbl">Email :</label>
            <br />
            <input type="text" id="updEmail" name="updEmail" value="<%
                    boolean foundEmailCookie = false;
                    Cookie[] emailCookies = null;
            emailCookies = request.getCookies();
                    if(emailCookies != null){
                        for(int i = 0; i < emailCookies.length; i++){
                             Cookie cookie = emailCookies[i];
                             if(cookie.getName().equals("updEmailCookie")){
                                 foundEmailCookie = true;
                                 out.println(cookie.getValue());
                                 cookie.setMaxAge(0);
                                 response.addCookie(cookie);
                             }
                         }
                    }
                    if(!foundEmailCookie){
                        if(session.getAttribute("email") != null){
                            out.println(session.getAttribute("email"));
                        }
                    }
            %>">
            <input type="hidden" id="updUrl" name="updUrl" value="">
            <br />
            <input type="submit" value="UPDATE">
        </form>
    </div>
</body>
</html>
like image 563
Colin747 Avatar asked Nov 19 '12 21:11

Colin747


People also ask

Which element in web xml defines the session timeout in minutes?

The session-timeout element defines the default session timeout interval for all sessions created in this web application. The specified timeout must be expressed in a whole number of minutes.

How do I invalidate a session in web xml?

To invalidate a session manually, call the following method: session. invalidate();

How does Tomcat handle session timeout?

xml file for Tomcat specifies how long an Administration Console session can remain inactive before the session times out and the administrator must authenticate again. The default value is 30 minutes. Open the web. xml file in a text editor and search for the <session-timeout> parameter.


2 Answers

Session timeout hierarchy:

  • TOMCAT_HOME/conf/web.xml
  • WebApplication/webapp/WEB-INF/web.xml
  • Hardcoding your session timeout in Java : HttpSession.setMaxInactiveInterval(int)

The order of the session timeout configuration:

HttpSession.setMaxInactiveInterval(int) > $WebApplication/webapp/WEB-INF/web.xml > $TOMCAT_HOME/conf/web.xml

Each subsequent entry overrides the above configuration.

Best regards.

like image 150
Ahmed MANSOUR Avatar answered Oct 04 '22 06:10

Ahmed MANSOUR


The web.xml should be directly in WEB-INF, not in WEB-INF/lib.

like image 23
Koshinae Avatar answered Oct 04 '22 07:10

Koshinae