Reading through the expert mailing list for the WebSocket spec, I gather that the experts did not feel it appropriate to update the last access time for HttpSession objects when messages are received. I DO agree with this; there's no way to know what the user really wants here, and it could be a security vulnerability to arbitrarily update the last accessed time.
However, I CAN imagine many scenarios where a developer DOES want to update the HttpSession last access time regularly. Consider a customer support chat application, where a user may be chatting with support for many minutes or even hours. Or a multiplayer online game, where the user is playing for hours at a time. It is very reasonable to expect that the developer may want to update the HttpSession's last access time every time a message is received (or at some other developer-defined interval) so that the user is not logged out (assuming the developer is using HttpSession for login/logout). Since, in my personal use, I was already grabbing the HttpSession from the handshake and associating it with the Session onOpen, I just decided I'd manually update the HttpSession's last access time each time a message came in. Wrong. HttpSession doesn't have a way to update the last access time. My thoughts are that there are two different approaches that could be taken to address the inability of the developer to keep the session alive: 1) Update the Servlet spec to add HttpSession#updateLastAccessTime(), which would be useful for more than just WebSockets, but it may be (probably is) too late to get it in Servlet 3.1 (and thus we'd have to wait another 3 years for it). 2) Update the WebSocket spec to add Session#updateHttpSessionLastAccessTime(), but then that would be useful only for WebSockets (at that point, you might as well also add a Session#getHttpSession() method, which does not exist either and so makes getting the HttpSession tricky). Before I file an improvement JIRA against either of these projects, I wanted to get some feedback from the developers here (Mark) on what they thought the best/right approach was based on their experience and previous discussions on the expert list. Of course, if I'm overlooking some other way to update the last access time or otherwise keep the session from expiring, please let me know. Nick --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
