Two Laptop Bag*
The moose likes Servlets and the fly likes HttpSession expiration Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "HttpSession expiration" Watch "HttpSession expiration" New topic
Author

HttpSession expiration

JeanLouis Marechaux
Ranch Hand

Joined: Nov 12, 2001
Posts: 906
hi folks.
Could you just help me on this.
When the HTTPsession expired and you are using form based login, are you supposed to be re-challenged the next time you try to access the application ?
My understanding is that you should have to log i again, but my AppServer provider argue it is not part of the spec

I can't find anything really clear about that in servlet 2.2 spec.
[ October 04, 2002: Message edited by: Bill Bailey ]

/ JeanLouis<br /><i>"software development has been, is, and will remain fundamentally hard" (Grady Booch)</i><br /> <br />Take a look at <a href="http://www.epfwiki.net/wikis/openup/" target="_blank" rel="nofollow">Agile OpenUP</a> in the Eclipse community
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12769
    
    5
You are correct - if the previous session has expired the next access should be just like the initial login. If the session is expired the system should have nothing hanging around from the previous login.
Bill
JeanLouis Marechaux
Ranch Hand

Joined: Nov 12, 2001
Posts: 906
Originally posted by William Brogden:
You are correct - if the previous session has expired the next access should be just like the initial login. If the session is expired the system should have nothing hanging around from the previous login.
Bill

William, do you have any idea where I could find these information in a Sun Spec. Actually, I know it has been added as a note in servlet 2.3 spec (12.5.3.1), but my provider only implement the 2.2 spec.
So they argue even if the the credentials are still valid after httpSession expiration, their product works just fine... and I fully disagree with that...
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12769
    
    5
I fear we may be talking about two different things here. Perhaps the provider is talking about "credentials" that are entirely separate from Java and the servlet engine.
Bill
JeanLouis Marechaux
Ranch Hand

Joined: Nov 12, 2001
Posts: 906
Originally posted by William Brogden:
Perhaps the provider is talking about "credentials" that are entirely separate from Java and the servlet engine.
Bill

Please explain that... I don't understand how credential are separate from the servlet engien .
According to the spec, "Credentials that are acquired through a web login process are associated with the session."
So my understanding is that when the session expires, then the credential have to be acquired again
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: HttpSession expiration