On Mar 20, 2013, at 5:24 PM, Nick Williams wrote: > Reading through the expert mailing list for the WebSocket spec, I gather that > the experts did not feel it appropriate to update the last access time for > HttpSession objects when messages are received. I DO agree with this; there's > no way to know what the user really wants here, and it could be a security > vulnerability to arbitrarily update the last accessed time. > > However, I CAN imagine many scenarios where a developer DOES want to update > the HttpSession last access time regularly. Consider a customer support chat > application, where a user may be chatting with support for many minutes or > even hours. Or a multiplayer online game, where the user is playing for hours > at a time. It is very reasonable to expect that the developer may want to > update the HttpSession's last access time every time a message is received > (or at some other developer-defined interval) so that the user is not logged > out (assuming the developer is using HttpSession for login/logout). Since, in > my personal use, I was already grabbing the HttpSession from the handshake > and associating it with the Session onOpen, I just decided I'd manually > update the HttpSession's last access time each time a message came in. Wrong. > HttpSession doesn't have a way to update the last access time. > > My thoughts are that there are two different approaches that could be taken > to address the inability of the developer to keep the session alive: > > 1) Update the Servlet spec to add HttpSession#updateLastAccessTime(), which > would be useful for more than just WebSockets, but it may be (probably is) > too late to get it in Servlet 3.1 (and thus we'd have to wait another 3 years > for it). > 2) Update the WebSocket spec to add > Session#updateHttpSessionLastAccessTime(), but then that would be useful only > for WebSockets (at that point, you might as well also add a > Session#getHttpSession() method, which does not exist either and so makes > getting the HttpSession tricky). > > Before I file an improvement JIRA against either of these projects, I wanted > to get some feedback from the developers here (Mark) on what they thought the > best/right approach was based on their experience and previous discussions on > the expert list. Of course, if I'm overlooking some other way to update the > last access time or otherwise keep the session from expiring, please let me > know. > > Nick
And, as expected, I am not the only one wondering about this [1]. Based on Mark's response to that bug, I'm have raised this issue as a WebSocket API JIRA [2]. Mark, if you could get some a discussion going in the EG about this issue, that would be great. =D I'll keep my eye on the EG mailing list archive to see how the discussion goes. [1] https://issues.apache.org/bugzilla/show_bug.cgi?id=54738 [2] http://java.net/jira/browse/WEBSOCKET_SPEC-175 --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
