问题
I need to configure a maximum duration of an application session in Tomcat to 24 hours.
I was not able to find the appropriate configuration in the documentation:
https://tomcat.apache.org/tomcat-8.5-doc/config/http.html
(There is sessionTimeout
for SSLHostConfig
but I need the Connector
configuration; We terminate the SSL connection in the WebServer before Tomcat but the session management handled by Tomcat.)
Added
We already handled the session expiration timeout (Tomcat Session Timeout web.xml).
The maximum duration timeout means that even the user active during all time its application session will be invalidated after the maximum duration timeout.
回答1:
HttpSessionListener
will only notify session creation and destruction but won't be invoked on each page request.
I'd implement a filter to check on session creation time and invalidate the session plus set headers or redirect.
In web.xml add:
<filter>
<filter-name>Max Session Duration</filter-name>
<filter-class>com.your.package.MaxSessionDurationFilter</filter-class>
<init-param>
<!-- Maximum session duration in hours -->
<param-name>maxduration</param-name>
<param-value>24</param-value>
</init-param>
</filter>
and a mapping like
<filter-mapping>
<filter-name>Max Session Duration</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>
Then the filter implementation is like:
package com.your.package;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class MaxSessionDurationFilter implements Filter {
private final long oneHourMillis = 1000*60*60;
private long maxDuration;
private FilterConfig filterConfig;
@Override
public void init(FilterConfig fc) throws ServletException {
filterConfig = fc;
maxDuration = Long.parseLong(filterConfig.getInitParameter("maxduration"));
}
@Override
public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest httpReq = (HttpServletRequest) req;
HttpServletResponse httpResp = (HttpServletResponse) resp;
final long creationTime = httpReq.getSession().getCreationTime();
final long currentTime = System.currentTimeMillis();
if (currentTime-creationTime > maxDuration*oneHourMillis) {
httpReq.getSession().invalidate();
// Could also set headers to 403 forbidden
// httpResp.setStatus(HttpServletResponse.SC_FORBIDDEN);
httpResp.sendRedirect("expiredsession.jsp");
} else {
chain.doFilter(req, resp);
}
}
@Override
public void destroy() { }
}
回答2:
It is possible to implement HttpSessionListener
and to destroy sessions after 24 hours:
https://tomcat.apache.org/tomcat-8.5-doc/servletapi/javax/servlet/http/HttpSessionListener.html
The question if exists better approach.
回答3:
You can configure maximum duration session using setMaxInactiveInterval
Specifies the time, in seconds, between client requests before the servlet container will invalidate this session.
Update when session created, using HttpSessionListener overriding sessionCreated
method:
public class MyHttpSessionListener implements HttpSessionListener{
public void sessionCreated(HttpSessionEvent event){
event.getSession().setMaxInactiveInterval(24*60*60); //24 Hours
}
use a HttpSessionListener. In the sessionCreated() method, you can set the session timeout programmatically.
来源:https://stackoverflow.com/questions/54124724/how-to-configure-a-maximum-duration-of-an-application-session-in-tomcat