aspose file tools*
The moose likes Tomcat and the fly likes Prompting to relogin on timeout Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Prompting to relogin on timeout" Watch "Prompting to relogin on timeout" New topic
Author

Prompting to relogin on timeout

Raj Puri
Ranch Hand

Joined: Apr 24, 2003
Posts: 189
I am implementing BASIC authontication mechanism. Seems when the timeout is met I can not login. Should Tomcat prompt reprompt with login dialog automatically? I will expect so. How can I force that, now user has to close the browser and restart.
Mike Curwen
Ranch Hand

Joined: Feb 20, 2001
Posts: 3695

I think this is what you're experiencing:
1) BASIC AUTH is protecting your site, so you are prompted by the browser for a login.
2) the AUTH mechanism logs you in, and your browser will now send your authentication token as a header, with each request.
3) once authenticated, your pages can be accessed in an authenticated, but otherwise 'regular' way, and an HttpSession is created by Tomcat.
4) Go away from the PC for a long enough time, and your HttpSession has expired, but your BASIC AUTH header has not.

I think you'll probably have to match the HttpSession expiry behaviour with that of the authentication method you've chosen. BASIC AUTH does not 'expire' until you close the browser window. So you'll need to make your session last at least this long; this will mean "indefinitely".

There is a <session-timeout> element in web.xml that you can set to -1, meaning "will not expire" (until the browser window closes).
Raj Puri
Ranch Hand

Joined: Apr 24, 2003
Posts: 189
This is what I am doing currently:
I set session time out to 1 minute in web.xml via <session-config> tag.
In my JSP i check if timeout occurred using if newsession(). If it is not a new seesion (i.e. timeout met, session invalidated) I want to re-prompt for login. I am using BASIC authon. It works fine prompts user for login at initial and after 1 minute I leave the PC alone and click my submit button (where I have code to check newsession) the timeout is detected I can see from my coded alert there. I want to send a message to user that session invalidated and then BASIC authon. should send its internal login winodw for user to re-login. Is this doable or I am expecting too much from BASIC?
Mike Curwen
Ranch Hand

Joined: Feb 20, 2001
Posts: 3695

You're expecting too much from BASIC, I think. Because in your mind, you're relating the Java HttpSession object with an HTTP BASIC AUTH token that is sent in the Header, by your browser.

That your server-side Session object has expired, has nothing to do with your client-side Authentication header. The only way to "un-authenticate" or "expire" this token is to close the browser.

Hmm..... that I know of. Perhaps there *is* a way.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Prompting to relogin on timeout