4

I have a JSF 2 app that uses RichFaces 4 and Spring Security 3.1 running on Tomcat 6 (also tested on Tomcat 7). Spring Security handles the session timeout and redirects user to the login page. That works perfectly.

The problem is that AJAX calls don't seen to have the effect of extending the session lifetime the say that ordinary navigation calls do.

I've read other articles suggesting that AJAX calls don't behave the same as ordinary navigation calls and that this is why the session isn't extended (unfortunately, none of them provide a clear explanation as to why this is). This thread suggests that a call to getSession() will do the trick. However, this is not working for me.

Instead of writing my own jquery poller I used the PrimeFaces idlemonitor as suggested here. The bean method called by the idle monitor reset calls getSession(). For testing I set the session timeout period to 4 minutes. Even though the AJAX method with getSession() is being called after two minutes the session still expires exactly 4 minutes after I navigate to that page.

Any idea what I'm doing wrong? More importantly, how would you debug this situation?

Thanks

Community
  • 1
  • 1
user2000974
  • 193
  • 1
  • 2
  • 10
  • Why do you think that Tomcat is to blame here? Shouldn't you blame Spring Security as it has taken over the session management? I don't do Spring, so I can't go in detail, but I can at least tell that I've never observed this behavior when using container managed authentication or Shiro. – BalusC Jan 22 '13 at 17:23
  • Well, tomcat owns the session lifetime. My understanding (may be wrong) is that spring security only responds to the fact that the session has been destroyed when tomcat times it out. I'd rather find a solution than something to blame. – user2000974 Jan 27 '13 at 03:21

0 Answers0