0

I have J2EE system working in Wepsphere Aplicattion Server and the session expires after 15 minutes but when the user press F5 or uses the reload button the session works again. I have this code in my web.xml.

<session-config> <session-timeout>15</session-timeout> </session-config>

Is there an extra configuration to prevent the use of the F5 key or reload buttton.

user2084446
  • 119
  • 2
  • 2
  • 8
  • Normally as long as the user is active. Thats means making calls to the server the session is active. Only when he is inactive for 15min the session should be invalidated. Otherwise you would always lock out the user after 15min. Is this really your expected behavior? – Lorenz Pfisterer Feb 20 '15 at 15:41
  • After the 15 minutes the session expires and that´s ok, but after that 15 minutes if the user press F5 key the web browser send an alert "To display this page, Firefox must send information that will repeat any action (such as a search or order confirmation) that was performed earlier." And the if he accept the session works again. I want that the user uses the login page to access again. – user2084446 Feb 20 '15 at 15:48
  • Then I guess your security mechanism is creating a new session, when the user sends a new request. Or your security mechanism still thinks the given session key is valid. You need to check if the current session was invalidated and if so, redirect the user to your login page. What security mechanism are you using? – Lorenz Pfisterer Feb 20 '15 at 16:00

0 Answers0