[Bug 68449] New: session.maxInactiveInterval() is not working for SSO Users.

Fri, 05 Jan 2024 06:56:09 -0800 

https://bz.apache.org/bugzilla/show_bug.cgi?id=68449

            Bug ID: 68449
           Summary: session.maxInactiveInterval() is not working for SSO
                    Users.
           Product: Tomcat 9
           Version: 9.0.83
          Hardware: PC
            Status: NEW
          Severity: blocker
          Priority: P2
         Component: Catalina
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: -----

I am facing issues with setting a User session duration to an arbitrary value.
The exact issue is that even if I set the value to as much as 30 minutes the
session timesout withiin 2 minutes.
Was facing this issue for all Users. Chanced upon
https://bz.apache.org/bugzilla/show_bug.cgi?id=67793 and opted to upgrade to
Tomcat 9.0.83
The update to Tomcat 9.83 resolved  this issue for users except SSO enabled
Users.

My default session timeout value is set to 30 in web.xml, so -

<session-timeout>30</session-timeout>

I understand, this should set the timeout interval to 30 minutes and would be
applicable across all user sessions.

Attempting to use -

session.setMaxInactiveInterval(300)

to change a particular User session duration to 5 mins.
<Question>Has this been deprecated and should I be moving this to
context.setMaxInactiveInterval(), instead?</Question>

The issue I face is that the value set through

setMaxInactiveInterval()

does not have appear to have any effect.
<Question>Remember reading that the timeout value will be defaulted to the
value in web.xml, every 2 or 5 minutes (by a Tomcat process?). Is this
correct?</Question>

On checking

localhost_access_log

I do not find any requests hitting Tomcat server. But for some reason the
timeouts just do not work.
What I mean by that is even if the User sets the value to 30 minutes, Tomcat
sesion timesout in 2 minutes.

I repeat right now the issue is for SSO enabled Users and I have set up the
below to this purpose - 

<Host appBase="webapps" autoDeploy="true" name="localhost" unpackWARs="true">
...
<Valve className="SingleSignOn"/>
...
</Host>

SSO authentication works correctly and SingleSignOn.invoke() is also executed
without any error.
I am invoking 

session.etMaxInactiveInterval (seconds)

from inside invoke() and I see that this piece of code is being executed as
well.

This happens ever since I moved from Tomcat 9.0.64 to (9.0.76 & 9.0.82 &
9.0.83)

I am left without any idea where/what to look for now. 
Kindly advise.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to