Discussion:
How do I set maxage on the JSESSIONID cookie?
Jesse Barnum
2007-06-29 15:37:34 UTC
Permalink
I would like to have a session ID cookie that has a max age of 48
hours, so that if a user comes back to my site after closing their
browser, they will still have the same session on the server. How can
I configure Tomcat to set the max age of the session ID cookie to
anything other than -1?

--Jesse Barnum, President, 360Works
http://www.360works.com
(770) 234-9293



---------------------------------------------------------------------
To start a new topic, e-mail: ***@tomcat.apache.org
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Len Popp
2007-06-29 17:16:29 UTC
Permalink
Doesn't the session cookie disappear when the user closes the browser?
In browsers that I've used anyway, session cookies are not stored on
disk like regular cookies, so the session is lost when the browser is
closed.
--
Len
Post by Jesse Barnum
I would like to have a session ID cookie that has a max age of 48
hours, so that if a user comes back to my site after closing their
browser, they will still have the same session on the server. How can
I configure Tomcat to set the max age of the session ID cookie to
anything other than -1?
--Jesse Barnum, President, 360Works
http://www.360works.com
(770) 234-9293
---------------------------------------------------------------------
---------------------------------------------------------------------
To start a new topic, e-mail: ***@tomcat.apache.org
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Jesse Barnum
2007-06-29 17:27:13 UTC
Permalink
Well, you can set the max age on a cookie to something > 0, which
means that it will persist for that amount of time, even if the
user's browser window is closed. I'm just trying to figure out if
there is a way to tell Tomcat to set that property on the cookies
that it creates to store the session ID's. I don't think that there
is anything special about a 'session cookie' versus a 'regular cookie'

--Jesse Barnum, President, 360Works
http://www.360works.com
(770) 234-9293
Post by Len Popp
Doesn't the session cookie disappear when the user closes the browser?
In browsers that I've used anyway, session cookies are not stored on
disk like regular cookies, so the session is lost when the browser is
closed.
--
Len
---------------------------------------------------------------------
To start a new topic, e-mail: ***@tomcat.apache.org
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Christopher Schultz
2007-06-29 17:53:50 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All,
Well, you can set the max age on a cookie to something > 0, which means
that it will persist for that amount of time, even if the user's browser
window is closed. I'm just trying to figure out if there is a way to
tell Tomcat to set that property on the cookies that it creates to store
the session ID's.
You may have to do it manually (that is, grab the Cookie object from the
response and force the maxage).

On the other hand, the user's session is going to time out within that
48 hours, so what's the point of maintaining the JSESSIONID cookie past
the browser-session?

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGhUcu9CaO5/Lv0PARAjzeAJ9PAkO2n4InRn9s9KaoCTlZ6gogowCgipM2
VibFQ3g7DvtU4ajdOcsOa94=
=Jdtn
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: ***@tomcat.apache.org
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Eric Berry
2007-06-29 18:50:26 UTC
Permalink
You will probably have to write a valve for this. I had to write one
to set the session cookie's domain so that it's a site wide domain.

I posted the code to this mailing list a while back. If you do a
search you should be able to find it, if not let me know I'll see if I
can get a hold of it.

Eric
Post by Christopher Schultz
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
All,
Well, you can set the max age on a cookie to something > 0, which means
that it will persist for that amount of time, even if the user's browser
window is closed. I'm just trying to figure out if there is a way to
tell Tomcat to set that property on the cookies that it creates to store
the session ID's.
You may have to do it manually (that is, grab the Cookie object from the
response and force the maxage).
On the other hand, the user's session is going to time out within that
48 hours, so what's the point of maintaining the JSESSIONID cookie past
the browser-session?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGhUcu9CaO5/Lv0PARAjzeAJ9PAkO2n4InRn9s9KaoCTlZ6gogowCgipM2
VibFQ3g7DvtU4ajdOcsOa94=
=Jdtn
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
--
Learn from the past. Live in the present. Plan for the future.

---------------------------------------------------------------------
To start a new topic, e-mail: ***@tomcat.apache.org
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Jesse Barnum
2007-06-29 22:04:57 UTC
Permalink
Eric, I found your code, so I'll try to modify it for my needs. I've
never written a valve before, so wish me luck!

Chris, this is an internal application which will not be accessed by
more than 7 people, so the server session timeout will be 48 hours.
The idea is for the application to be accessible only to these
certain people while minimizing the need for logins.

--Jesse Barnum, President, 360Works
http://www.360works.com
(770) 234-9293
Post by Eric Berry
You will probably have to write a valve for this. I had to write one
to set the session cookie's domain so that it's a site wide domain.
I posted the code to this mailing list a while back. If you do a
search you should be able to find it, if not let me know I'll see if I
can get a hold of it.
Eric
Post by Christopher Schultz
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
All,
Post by Jesse Barnum
Well, you can set the max age on a cookie to something > 0,
which means
Post by Jesse Barnum
that it will persist for that amount of time, even if the user's
browser
Post by Jesse Barnum
window is closed. I'm just trying to figure out if there is a
way to
Post by Jesse Barnum
tell Tomcat to set that property on the cookies that it creates
to store
Post by Jesse Barnum
the session ID's.
You may have to do it manually (that is, grab the Cookie object from the
response and force the maxage).
On the other hand, the user's session is going to time out within that
48 hours, so what's the point of maintaining the JSESSIONID cookie past
the browser-session?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGhUcu9CaO5/Lv0PARAjzeAJ9PAkO2n4InRn9s9KaoCTlZ6gogowCgipM2
VibFQ3g7DvtU4ajdOcsOa94=
=Jdtn
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
--
Learn from the past. Live in the present. Plan for the future.
---------------------------------------------------------------------
---------------------------------------------------------------------
To start a new topic, e-mail: ***@tomcat.apache.org
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Jesse Barnum
2007-06-29 23:05:15 UTC
Permalink
Eric, that worked - your code was very helpful, thanks. I wound up
doing it as a Filter instead of a Valve, so that it would not be tied
to Tomcat.

Here is the code in case anybody else would find it useful:

--Jesse Barnum, President, 360Works
http://www.360works.com
(770) 234-9293



package com.prosc.servlet;

import javax.servlet.*;
import javax.servlet.http.*;
import java.io.IOException;

/**
* This class will set the cookie maxAge to match the session timeout
value. That way, a user who closes their browser and
* re-enters the site will still have the same session if it has not
timed out on the server.
*/
public class SessionCookieExtender implements Filter {
private static final String JSESSIONID = "JSESSIONID";

public void init( FilterConfig config ) throws ServletException {}

public void doFilter( ServletRequest _request, ServletResponse
_response, FilterChain chain ) throws IOException, ServletException {
if( _response instanceof HttpServletResponse ) {
HttpServletRequest httpRequest = (HttpServletRequest)_request;
HttpServletResponse httpResponse = (HttpServletResponse)_response;

HttpSession session = httpRequest.getSession();
if( session != null && session.getId() != null ) {
Cookie sessionCookie = new Cookie( JSESSIONID, session.getId() );
int sessionTimeoutSeconds = session.getMaxInactiveInterval();
sessionCookie.setMaxAge( sessionTimeoutSeconds );
sessionCookie.setPath( httpRequest.getContextPath() );
httpResponse.addCookie( sessionCookie ); //FIX! This doesn't
actually get rid of the other cookie, but it seems to work OK
}
}
chain.doFilter( _request, _response );
}

public void destroy() {}
}
Post by Eric Berry
You will probably have to write a valve for this. I had to write one
to set the session cookie's domain so that it's a site wide domain.
I posted the code to this mailing list a while back. If you do a
search you should be able to find it, if not let me know I'll see if I
can get a hold of it.
Eric
Post by Christopher Schultz
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
All,
Post by Jesse Barnum
Well, you can set the max age on a cookie to something > 0,
which means
Post by Jesse Barnum
that it will persist for that amount of time, even if the user's
browser
Post by Jesse Barnum
window is closed. I'm just trying to figure out if there is a
way to
Post by Jesse Barnum
tell Tomcat to set that property on the cookies that it creates
to store
Post by Jesse Barnum
the session ID's.
You may have to do it manually (that is, grab the Cookie object from the
response and force the maxage).
On the other hand, the user's session is going to time out within that
48 hours, so what's the point of maintaining the JSESSIONID cookie past
the browser-session?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGhUcu9CaO5/Lv0PARAjzeAJ9PAkO2n4InRn9s9KaoCTlZ6gogowCgipM2
VibFQ3g7DvtU4ajdOcsOa94=
=Jdtn
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
--
Learn from the past. Live in the present. Plan for the future.
---------------------------------------------------------------------
---------------------------------------------------------------------
To start a new topic, e-mail: ***@tomcat.apache.org
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Martin Gainty
2007-06-29 23:32:36 UTC
Permalink
Curious as to why you're writing a Filter
Are you modifying Request Headers or the Request itself?
Thx,
M--
This email message and any files transmitted with it contain confidential
information intended only for the person(s) to whom this email message is
addressed. If you have received this email message in error, please notify
the sender immediately by telephone or email and destroy the original
message without making a copy. Thank you.

----- Original Message -----
From: "Jesse Barnum" <***@360works.com>
To: "Tomcat Users List" <***@tomcat.apache.org>
Sent: Friday, June 29, 2007 7:05 PM
Subject: [SOLVED] Re: How do I set maxage on the JSESSIONID cookie?
Post by Jesse Barnum
Eric, that worked - your code was very helpful, thanks. I wound up
doing it as a Filter instead of a Valve, so that it would not be tied
to Tomcat.
--Jesse Barnum, President, 360Works
http://www.360works.com
(770) 234-9293
package com.prosc.servlet;
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.IOException;
/**
* This class will set the cookie maxAge to match the session timeout
value. That way, a user who closes their browser and
* re-enters the site will still have the same session if it has not
timed out on the server.
*/
public class SessionCookieExtender implements Filter {
private static final String JSESSIONID = "JSESSIONID";
public void init( FilterConfig config ) throws ServletException {}
public void doFilter( ServletRequest _request, ServletResponse
_response, FilterChain chain ) throws IOException, ServletException {
if( _response instanceof HttpServletResponse ) {
HttpServletRequest httpRequest = (HttpServletRequest)_request;
HttpServletResponse httpResponse = (HttpServletResponse)_response;
HttpSession session = httpRequest.getSession();
if( session != null && session.getId() != null ) {
Cookie sessionCookie = new Cookie( JSESSIONID, session.getId() );
int sessionTimeoutSeconds = session.getMaxInactiveInterval();
sessionCookie.setMaxAge( sessionTimeoutSeconds );
sessionCookie.setPath( httpRequest.getContextPath() );
httpResponse.addCookie( sessionCookie ); //FIX! This doesn't
actually get rid of the other cookie, but it seems to work OK
}
}
chain.doFilter( _request, _response );
}
public void destroy() {}
}
Post by Eric Berry
You will probably have to write a valve for this. I had to write one
to set the session cookie's domain so that it's a site wide domain.
I posted the code to this mailing list a while back. If you do a
search you should be able to find it, if not let me know I'll see if I
can get a hold of it.
Eric
Post by Christopher Schultz
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
All,
Post by Jesse Barnum
Well, you can set the max age on a cookie to something > 0,
which means
Post by Jesse Barnum
that it will persist for that amount of time, even if the user's
browser
Post by Jesse Barnum
window is closed. I'm just trying to figure out if there is a
way to
Post by Jesse Barnum
tell Tomcat to set that property on the cookies that it creates
to store
Post by Jesse Barnum
the session ID's.
You may have to do it manually (that is, grab the Cookie object from the
response and force the maxage).
On the other hand, the user's session is going to time out within that
48 hours, so what's the point of maintaining the JSESSIONID cookie past
the browser-session?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGhUcu9CaO5/Lv0PARAjzeAJ9PAkO2n4InRn9s9KaoCTlZ6gogowCgipM2
VibFQ3g7DvtU4ajdOcsOa94=
=Jdtn
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
--
Learn from the past. Live in the present. Plan for the future.
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
To start a new topic, e-mail: ***@tomcat.apache.org
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Jesse Barnum
2007-07-02 12:37:34 UTC
Permalink
I'm modifying the response by appending a session cookie whose maxAge
has been configured to a positive value. I'm writing it as a Filter
because 1) Eric suggested that (well, he suggested a Valve, but from
my limited understanding, it seems like a Filter does the same thing
and is not specific to Tomcat) and 2) it seems like this will make it
easy to to use with any other servlet app that I want.

--Jesse Barnum, President, 360Works
http://www.360works.com
(770) 234-9293
Post by Martin Gainty
Curious as to why you're writing a Filter
Are you modifying Request Headers or the Request itself?
Thx,
M--
---------------------------------------------------------------------
To start a new topic, e-mail: ***@tomcat.apache.org
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

Loading...