stackoom
  简体   繁体   中英

Tomcat session cookie doesn't expire

 原文  2013-06-17 07:58:19       java/ java-ee/ tomcat/ servlets

Question

I have a web application in Tomcat 7 which keeps user information in session as a DTO object. I also have Spring security enabled for my project which automatically redirects a user to a login page if the user does not have a session.

If I log in to my application once and then I restart Tomcat in Eclipse what happens is that my session gets flushed out but the cookie does not go.

What this means is that after server restart there is no UserDto in session but a valid JSESSIONID remains with browser. Thus spring security still thinks that the user is logged in when in fact he's not.

Why is this happening? (I have check the type of JSESSIONID cookie by viewing page info in Firefox it says - Expire: At end of session . Thus it should ideally expire at server restart or shouldn't it?)

Edit: Though Firefox says Expire: At end of session the cookie is still there if I close and restart Firefox.

4 answers

solution1
 1  2013-06-17 08:19:55

The cookie is held in the browser - when the server restarts, but the browser continues to run, it will hold onto the cookie and present this to the server on next request.

Now on the server side, you have multiple options: You can configure tomcat's SessionManager to persist on disk and read the content upon restart - this is an option that also is used to distribute sessions between multiple tomcats in a cluster: When the session is serialized to disk, any server can continue the session by "just" deserializing it. There's some cost implied (as you constantly need to serialize sessions)

Currently I can't give you more concrete hints than this - but if you look it up and understand the difference between where the cookie is stored, why it doesn't change on server restart and that you'll have to look up tomcat documentation of the session manager, you'll hopefully manage to figure it out.

solution2
 1  2013-06-17 08:21:55

Tomcat will generate a JSESSIONID automatically if you have used session in you web project.
If the session id changed then the JSESSIONID will changed corresponds. Because the JSESSIONID indicates the seesion ID of the WEB project.
It will expire when the server stop(in default it will expire within 30 minutes), but the cookie cannot delete automatically.
JSESSIONID can configs in server.xml file of tomcat.

solution3
 1  2015-03-11 14:30:55

From Servlet 3.0 to add expire date to a cookie you can add cookie-config to your web.xml file 

<session-config>
    <session-timeout>30</session-timeout> 
    <cookie-config>
        <max-age>1800</max-age>
    </cookie-config>
</session-config>

solution4
 0  2013-06-18 02:04:38

While you log in succesfully, SpringSecurity stores a cookie in your browser.

When the browser sends a request, SpringSecurity checks what's in the cookie. If SpringSecurity finds the value it stored before, it thinks you have logged in, so SpringSecurity won't redirect to the login page.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Jsessionid cookie doesn't expire after Chrome closing Tomcat - Custom Session Cookie Handling RedisTemplate expire doesn't work server.session.cookie.max-age doesn't seem to work Session sharing between contexts doesn't work on Tomcat 7 Exactly when the session will expire in java web application with tomcat Tomcat creates a jsessionid cookie when session timeouts ehcache3 - why cache doesn't expire? Jetty/Tomcat encrypted cookie-based session storage? set session cookie attribute “Domain” on java-spring-tomcat
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM