0

I have a web app for which I set up a time-based session cookie expiration as described here: Tomcat session cookie is not sent for context root request

The call to getSession() creates the session when there is no incoming session cookie, and sets the new cookie on the response. For subsequent requests it does not happen, although a timeout-based cookie needs to be prolonged, so that sessions don't time out X minutes after login time.

Do I have to getCookies(), iterate cookies, find session cookie, calculate expiration time, modify cookie, and set it on the response? Or does Tomcat provide that for these kind of sessions?

If I have to do it myself, can I get access to the xml-declared cookie name (to look for in cookies array) and max-age (to calculate new expiration from now).

Community
  • 1
  • 1
Laszlo B
  • 455
  • 3
  • 14
  • If you didn't set a max age on the cookie, it would last for the duration of the browser session, and the session would expire automatically 30 minutes after the last received request for that session. Why do you set a max age? – JB Nizet Dec 16 '15 at 17:16
  • For my use case I want sessions to outlive the browser tab, so user can continue work on any kind of restart. I would still like to synchronize the cookie to the server timeout, so it won't stick around any longer. Right now I have max-age of a day. This works, but not optimal. – Laszlo B Dec 16 '15 at 17:51
  • Then make the max age much longer. The session will still (AFAIK) expire after 30 minutes of inactivity on the server. Note that a session is not linked to a tab. – JB Nizet Dec 16 '15 at 17:52
  • But if the last tab is closed, and cookie is lost, the client cannot resume even if the server session is alive. – Laszlo B Dec 16 '15 at 17:59

0 Answers0