Session timeout for webapps

> Hello all,
>
> I tried to set the session timeout for the 'ecommerce' and the
> 'webtools' components using <session-config> of web.xml, but unable to do
> so. Session for the logged-in user remains active even after the set time.
>
> On further research, I found that we did some changes in this area in the
> ticket OFBIZ-6655 <https://issues.apache.org/jira/browse/OFBIZ-6655>. We
> have hard coded the session timeout (1 hr) in the sessionCreated() method
> of ControlEventListner class. As per the comments in the Jira ticket,
> session timeout declarations in web.xml have been removed by the use
> of @WebListner annotation. This is to avoid duplicates things everywhere in
> web.xml files. Since the web.xml files have precedence on annotations, the
> setting can be easily overridden when necessary.
>
> But the @WebListner is missing in the ControlEventListner class. Also, I am
> unable to override the session timeout in web.xml even after putting the
> @WebListner annotation in ControlEventListner class.
>
> Please let me know if this is a real issue or I am doing something wrong?
>
> Thanks & Regards
> --
> Deepak Nigam
> HotWax Systems Pvt. Ltd.
>

> Hi Deepak,
>
> You are right, it's hardcoded and should not. I have no time to go further
> at the moment, but I'll ASAP
>
> Thanks
>
> Jacques
>
> Le 08/01/2019 à 06:10, Deepak Nigam a écrit :
> > Hello all,
> >
> > I tried to set the session timeout for the 'ecommerce' and the
> > 'webtools' components using <session-config> of web.xml, but unable to do
> > so. Session for the logged-in user remains active even after the set
> time.
> >
> > On further research, I found that we did some changes in this area in the
> > ticket OFBIZ-6655 <https://issues.apache.org/jira/browse/OFBIZ-6655>. We
> > have hard coded the session timeout (1 hr) in the sessionCreated() method
> > of ControlEventListner class. As per the comments in the Jira ticket,
> > session timeout declarations in web.xml have been removed by the use
> > of @WebListner annotation. This is to avoid duplicates things everywhere
> in
> > web.xml files. Since the web.xml files have precedence on annotations,
> the
> > setting can be easily overridden when necessary.
> >
> > But the @WebListner is missing in the ControlEventListner class. Also, I
> am
> > unable to override the session timeout in web.xml even after putting the
> > @WebListner annotation in ControlEventListner class.
> >
> > Please let me know if this is a real issue or I am doing something wrong?
> >
> > Thanks & Regards
> > --
> > Deepak Nigam
> > HotWax Systems Pvt. Ltd.
> >
>

> Thanks, Jacques.
>
> Apart from the hardcoded thing, I am not able to override the session
> timeout value using <session-timeout> tag in web.xml.
>
> On Tue, Jan 8, 2019 at 1:55 PM Jacques Le Roux <
> [hidden email]>
> wrote:
>
> > Hi Deepak,
> >
> > You are right, it's hardcoded and should not. I have no time to go
> further
> > at the moment, but I'll ASAP
> >
> > Thanks
> >
> > Jacques
> >
> > Le 08/01/2019 à 06:10, Deepak Nigam a écrit :
> > > Hello all,
> > >
> > > I tried to set the session timeout for the 'ecommerce' and the
> > > 'webtools' components using <session-config> of web.xml, but unable to
> do
> > > so. Session for the logged-in user remains active even after the set
> > time.
> > >
> > > On further research, I found that we did some changes in this area in
> the
> > > ticket OFBIZ-6655 <https://issues.apache.org/jira/browse/OFBIZ-6655>.
> We
> > > have hard coded the session timeout (1 hr) in the sessionCreated()
> method
> > > of ControlEventListner class. As per the comments in the Jira ticket,
> > > session timeout declarations in web.xml have been removed by the use
> > > of @WebListner annotation. This is to avoid duplicates things
> everywhere
> > in
> > > web.xml files. Since the web.xml files have precedence on annotations,
> > the
> > > setting can be easily overridden when necessary.
> > >
> > > But the @WebListner is missing in the ControlEventListner class. Also,
> I
> > am
> > > unable to override the session timeout in web.xml even after putting
> the
> > > @WebListner annotation in ControlEventListner class.
> > >
> > > Please let me know if this is a real issue or I am doing something
> wrong?
> > >
> > > Thanks & Regards
> > > --
> > > Deepak Nigam
> > > HotWax Systems Pvt. Ltd.
> > >
> >
>

> Thanks, Jacques.
>
> Apart from the hardcoded thing, I am not able to override the session
> timeout value using <session-timeout> tag in web.xml.
>
> On Tue, Jan 8, 2019 at 1:55 PM Jacques Le Roux <[hidden email]>
> wrote:
>
>> Hi Deepak,
>>
>> You are right, it's hardcoded and should not. I have no time to go further
>> at the moment, but I'll ASAP
>>
>> Thanks
>>
>> Jacques
>>
>> Le 08/01/2019 à 06:10, Deepak Nigam a écrit :
>>> Hello all,
>>>
>>> I tried to set the session timeout for the 'ecommerce' and the
>>> 'webtools' components using <session-config> of web.xml, but unable to do
>>> so. Session for the logged-in user remains active even after the set
>> time.
>>> On further research, I found that we did some changes in this area in the
>>> ticket OFBIZ-6655 <https://issues.apache.org/jira/browse/OFBIZ-6655>. We
>>> have hard coded the session timeout (1 hr) in the sessionCreated() method
>>> of ControlEventListner class. As per the comments in the Jira ticket,
>>> session timeout declarations in web.xml have been removed by the use
>>> of @WebListner annotation. This is to avoid duplicates things everywhere
>> in
>>> web.xml files. Since the web.xml files have precedence on annotations,
>> the
>>> setting can be easily overridden when necessary.
>>>
>>> But the @WebListner is missing in the ControlEventListner class. Also, I
>> am
>>> unable to override the session timeout in web.xml even after putting the
>>> @WebListner annotation in ControlEventListner class.
>>>
>>> Please let me know if this is a real issue or I am doing something wrong?
>>>
>>> Thanks & Regards
>>> --
>>> Deepak Nigam
>>> HotWax Systems Pvt. Ltd.
>>>

> Hi Deepak
>
> By the time sessionCreated is called in an HttpSessionListener, the session
> has already been created. I am sure if you try to get the HttpSession from
> the HttpSessionEvent object, it will have what you defined in
> <session-timeout> tag.
>
> But the code is overriding the timeout using setMaxInactiveInterval to 1
> hour that is why it is looking like web.xml is not being given
> precedence over programmatic session configuration.
>
> Whether web.xml takes precedence over annotation does not apply in this
> case because anyway the session timeout value is being overridden by the
> code. The tomcat container definitely reads session-timeout from web.xml
> and assigns timeout for the session accordingly. But since a listener is
> configured for session lifecycle management, it invokes the method and
> there the session value is being overridden.
>
> Try to set 2 minutes session timeout in web.xml and remove
> session.setMaxInactiveInterval(60*60).
> I would say you will be logged out after 2 minutes. If that is not the
> case, pl let me know.
>
> I hope I understood your question and problem correctly.
>
> Best,
> Girish
>
>
>
> On Wed, Jan 9, 2019 at 1:53 PM Deepak Nigam <[hidden email]>
> wrote:
>
>> Thanks, Jacques.
>>
>> Apart from the hardcoded thing, I am not able to override the session
>> timeout value using <session-timeout> tag in web.xml.
>>
>> On Tue, Jan 8, 2019 at 1:55 PM Jacques Le Roux <
>> [hidden email]>
>> wrote:
>>
>>> Hi Deepak,
>>>
>>> You are right, it's hardcoded and should not. I have no time to go
>> further
>>> at the moment, but I'll ASAP
>>>
>>> Thanks
>>>
>>> Jacques
>>>
>>> Le 08/01/2019 à 06:10, Deepak Nigam a écrit :
>>>> Hello all,
>>>>
>>>> I tried to set the session timeout for the 'ecommerce' and the
>>>> 'webtools' components using <session-config> of web.xml, but unable to
>> do
>>>> so. Session for the logged-in user remains active even after the set
>>> time.
>>>> On further research, I found that we did some changes in this area in
>> the
>>>> ticket OFBIZ-6655 <https://issues.apache.org/jira/browse/OFBIZ-6655>.
>> We
>>>> have hard coded the session timeout (1 hr) in the sessionCreated()
>> method
>>>> of ControlEventListner class. As per the comments in the Jira ticket,
>>>> session timeout declarations in web.xml have been removed by the use
>>>> of @WebListner annotation. This is to avoid duplicates things
>> everywhere
>>> in
>>>> web.xml files. Since the web.xml files have precedence on annotations,
>>> the
>>>> setting can be easily overridden when necessary.
>>>>
>>>> But the @WebListner is missing in the ControlEventListner class. Also,
>> I
>>> am
>>>> unable to override the session timeout in web.xml even after putting
>> the
>>>> @WebListner annotation in ControlEventListner class.
>>>>
>>>> Please let me know if this is a real issue or I am doing something
>> wrong?
>>>> Thanks & Regards
>>>> --
>>>> Deepak Nigam
>>>> HotWax Systems Pvt. Ltd.
>>>>

> Hi Deepak
>
> By the time sessionCreated is called in an HttpSessionListener, the session
> has already been created. I am sure if you try to get the HttpSession from
> the HttpSessionEvent object, it will have what you defined in
> <session-timeout> tag.
>
> But the code is overriding the timeout using setMaxInactiveInterval to 1
> hour that is why it is looking like web.xml is not being given
> precedence over programmatic session configuration.
>
> Whether web.xml takes precedence over annotation does not apply in this
> case because anyway the session timeout value is being overridden by the
> code. The tomcat container definitely reads session-timeout from web.xml
> and assigns timeout for the session accordingly. But since a listener is
> configured for session lifecycle management, it invokes the method and
> there the session value is being overridden.
>
> Try to set 2 minutes session timeout in web.xml and remove
> session.setMaxInactiveInterval(60*60).
> I would say you will be logged out after 2 minutes. If that is not the
> case, pl let me know.
>
> I hope I understood your question and problem correctly.
>
> Best,
> Girish
>
>
>
> On Wed, Jan 9, 2019 at 1:53 PM Deepak Nigam <[hidden email]>
> wrote:
>
>> Thanks, Jacques.
>>
>> Apart from the hardcoded thing, I am not able to override the session
>> timeout value using <session-timeout> tag in web.xml.
>>
>> On Tue, Jan 8, 2019 at 1:55 PM Jacques Le Roux <
>> [hidden email]>
>> wrote:
>>
>>> Hi Deepak,
>>>
>>> You are right, it's hardcoded and should not. I have no time to go
>> further
>>> at the moment, but I'll ASAP
>>>
>>> Thanks
>>>
>>> Jacques
>>>
>>> Le 08/01/2019 à 06:10, Deepak Nigam a écrit :
>>>> Hello all,
>>>>
>>>> I tried to set the session timeout for the 'ecommerce' and the
>>>> 'webtools' components using <session-config> of web.xml, but unable to
>> do
>>>> so. Session for the logged-in user remains active even after the set
>>> time.
>>>> On further research, I found that we did some changes in this area in
>> the
>>>> ticket OFBIZ-6655 <https://issues.apache.org/jira/browse/OFBIZ-6655>.
>> We
>>>> have hard coded the session timeout (1 hr) in the sessionCreated()
>> method
>>>> of ControlEventListner class. As per the comments in the Jira ticket,
>>>> session timeout declarations in web.xml have been removed by the use
>>>> of @WebListner annotation. This is to avoid duplicates things
>> everywhere
>>> in
>>>> web.xml files. Since the web.xml files have precedence on annotations,
>>> the
>>>> setting can be easily overridden when necessary.
>>>>
>>>> But the @WebListner is missing in the ControlEventListner class. Also,
>> I
>>> am
>>>> unable to override the session timeout in web.xml even after putting
>> the
>>>> @WebListner annotation in ControlEventListner class.
>>>>
>>>> Please let me know if this is a real issue or I am doing something
>> wrong?
>>>> Thanks & Regards
>>>> --
>>>> Deepak Nigam
>>>> HotWax Systems Pvt. Ltd.
>>>>

> Hi Deepak, Girish,
>
> I had a look at the issue. The specifications of Java Servlet
> Specification 3.0 don't include an annotation to change the session time
> out.
>
>     https://www.baeldung.com/servlet-session-timeout
>
> https://stackoverflow.com/questions/20389833/session-timeout-config-with-no-web-xml-file
>
> I think the best solution is to put back what we had before, ie set it to
> a value (it was 1 hour before) in all web.xml file and remove the
>
>     session.setMaxInactiveInterval(60*60); //in seconds
>
> line in ControlEventListener::sessionCreated
>
> I thought about keeping this line if a check to null for the session
> timeout value (from web.xml) was positive.
> But by default Tomcat sets it to 30 min (so it's never null) and it's
> possible but hard to change in OFBiz (eg to a known specific extraordinary
> value
> that could be checked instead of null as above)
> So it could be confusing and anyway best practice is to prefer convention
> over configuration, even if in this case it's much redundant.
>
> I think we can reopen OFBIZ-6655 and handle it there, with an explanation.
>
> Other ideas?
>
> Jacques
>
> Le 09/01/2019 à 10:11, Girish Vasmatkar a écrit :
> > Hi Deepak
> >
> > By the time sessionCreated is called in an HttpSessionListener, the
> session
> > has already been created. I am sure if you try to get the HttpSession
> from
> > the HttpSessionEvent object, it will have what you defined in
> > <session-timeout> tag.
> >
> > But the code is overriding the timeout using setMaxInactiveInterval to 1
> > hour that is why it is looking like web.xml is not being given
> > precedence over programmatic session configuration.
> >
> > Whether web.xml takes precedence over annotation does not apply in this
> > case because anyway the session timeout value is being overridden by the
> > code. The tomcat container definitely reads session-timeout from web.xml
> > and assigns timeout for the session accordingly. But since a listener is
> > configured for session lifecycle management, it invokes the method and
> > there the session value is being overridden.
> >
> > Try to set 2 minutes session timeout in web.xml and remove
> > session.setMaxInactiveInterval(60*60).
> > I would say you will be logged out after 2 minutes. If that is not the
> > case, pl let me know.
> >
> > I hope I understood your question and problem correctly.
> >
> > Best,
> > Girish
> >
> >
> >
> > On Wed, Jan 9, 2019 at 1:53 PM Deepak Nigam <[hidden email]>
> > wrote:
> >
> >> Thanks, Jacques.
> >>
> >> Apart from the hardcoded thing, I am not able to override the session
> >> timeout value using <session-timeout> tag in web.xml.
> >>
> >> On Tue, Jan 8, 2019 at 1:55 PM Jacques Le Roux <
> >> [hidden email]>
> >> wrote:
> >>
> >>> Hi Deepak,
> >>>
> >>> You are right, it's hardcoded and should not. I have no time to go
> >> further
> >>> at the moment, but I'll ASAP
> >>>
> >>> Thanks
> >>>
> >>> Jacques
> >>>
> >>> Le 08/01/2019 à 06:10, Deepak Nigam a écrit :
> >>>> Hello all,
> >>>>
> >>>> I tried to set the session timeout for the 'ecommerce' and the
> >>>> 'webtools' components using <session-config> of web.xml, but unable to
> >> do
> >>>> so. Session for the logged-in user remains active even after the set
> >>> time.
> >>>> On further research, I found that we did some changes in this area in
> >> the
> >>>> ticket OFBIZ-6655 <https://issues.apache.org/jira/browse/OFBIZ-6655>.
> >> We
> >>>> have hard coded the session timeout (1 hr) in the sessionCreated()
> >> method
> >>>> of ControlEventListner class. As per the comments in the Jira ticket,
> >>>> session timeout declarations in web.xml have been removed by the use
> >>>> of @WebListner annotation. This is to avoid duplicates things
> >> everywhere
> >>> in
> >>>> web.xml files. Since the web.xml files have precedence on annotations,
> >>> the
> >>>> setting can be easily overridden when necessary.
> >>>>
> >>>> But the @WebListner is missing in the ControlEventListner class. Also,
> >> I
> >>> am
> >>>> unable to override the session timeout in web.xml even after putting
> >> the
> >>>> @WebListner annotation in ControlEventListner class.
> >>>>
> >>>> Please let me know if this is a real issue or I am doing something
> >> wrong?
> >>>> Thanks & Regards
> >>>> --
> >>>> Deepak Nigam
> >>>> HotWax Systems Pvt. Ltd.
> >>>>
>

> Hi Jacques
>
> Yes, we should put back the session timeout declaration in web.xml. Given
> the fact that we can always mix web.xml and Annotation based configuration,
> it only makes sense to let web.xml decide the session timeout and even if
> we have the session listener (via web.xml declaration or Annotation), we
> should not programatically try to override the setting.
>
> Thanks and Regards,
> Girish
>
>
> On Thu, Jan 10, 2019 at 7:14 PM Jacques Le Roux <
> [hidden email]> wrote:
>
> > Hi Deepak, Girish,
> >
> > I had a look at the issue. The specifications of Java Servlet
> > Specification 3.0 don't include an annotation to change the session time
> > out.
> >
> >     https://www.baeldung.com/servlet-session-timeout
> >
> >
> https://stackoverflow.com/questions/20389833/session-timeout-config-with-no-web-xml-file
> >
> > I think the best solution is to put back what we had before, ie set it to
> > a value (it was 1 hour before) in all web.xml file and remove the
> >
> >     session.setMaxInactiveInterval(60*60); //in seconds
> >
> > line in ControlEventListener::sessionCreated
> >
> > I thought about keeping this line if a check to null for the session
> > timeout value (from web.xml) was positive.
> > But by default Tomcat sets it to 30 min (so it's never null) and it's
> > possible but hard to change in OFBiz (eg to a known specific
> extraordinary
> > value
> > that could be checked instead of null as above)
> > So it could be confusing and anyway best practice is to prefer convention
> > over configuration, even if in this case it's much redundant.
> >
> > I think we can reopen OFBIZ-6655 and handle it there, with an
> explanation.
> >
> > Other ideas?
> >
> > Jacques
> >
> > Le 09/01/2019 à 10:11, Girish Vasmatkar a écrit :
> > > Hi Deepak
> > >
> > > By the time sessionCreated is called in an HttpSessionListener, the
> > session
> > > has already been created. I am sure if you try to get the HttpSession
> > from
> > > the HttpSessionEvent object, it will have what you defined in
> > > <session-timeout> tag.
> > >
> > > But the code is overriding the timeout using setMaxInactiveInterval to
> 1
> > > hour that is why it is looking like web.xml is not being given
> > > precedence over programmatic session configuration.
> > >
> > > Whether web.xml takes precedence over annotation does not apply in this
> > > case because anyway the session timeout value is being overridden by
> the
> > > code. The tomcat container definitely reads session-timeout from
> web.xml
> > > and assigns timeout for the session accordingly. But since a listener
> is
> > > configured for session lifecycle management, it invokes the method and
> > > there the session value is being overridden.
> > >
> > > Try to set 2 minutes session timeout in web.xml and remove
> > > session.setMaxInactiveInterval(60*60).
> > > I would say you will be logged out after 2 minutes. If that is not the
> > > case, pl let me know.
> > >
> > > I hope I understood your question and problem correctly.
> > >
> > > Best,
> > > Girish
> > >
> > >
> > >
> > > On Wed, Jan 9, 2019 at 1:53 PM Deepak Nigam <
> [hidden email]>
> > > wrote:
> > >
> > >> Thanks, Jacques.
> > >>
> > >> Apart from the hardcoded thing, I am not able to override the session
> > >> timeout value using <session-timeout> tag in web.xml.
> > >>
> > >> On Tue, Jan 8, 2019 at 1:55 PM Jacques Le Roux <
> > >> [hidden email]>
> > >> wrote:
> > >>
> > >>> Hi Deepak,
> > >>>
> > >>> You are right, it's hardcoded and should not. I have no time to go
> > >> further
> > >>> at the moment, but I'll ASAP
> > >>>
> > >>> Thanks
> > >>>
> > >>> Jacques
> > >>>
> > >>> Le 08/01/2019 à 06:10, Deepak Nigam a écrit :
> > >>>> Hello all,
> > >>>>
> > >>>> I tried to set the session timeout for the 'ecommerce' and the
> > >>>> 'webtools' components using <session-config> of web.xml, but unable
> to
> > >> do
> > >>>> so. Session for the logged-in user remains active even after the set
> > >>> time.
> > >>>> On further research, I found that we did some changes in this area
> in
> > >> the
> > >>>> ticket OFBIZ-6655 <https://issues.apache.org/jira/browse/OFBIZ-6655
> >.
> > >> We
> > >>>> have hard coded the session timeout (1 hr) in the sessionCreated()
> > >> method
> > >>>> of ControlEventListner class. As per the comments in the Jira
> ticket,
> > >>>> session timeout declarations in web.xml have been removed by the use
> > >>>> of @WebListner annotation. This is to avoid duplicates things
> > >> everywhere
> > >>> in
> > >>>> web.xml files. Since the web.xml files have precedence on
> annotations,
> > >>> the
> > >>>> setting can be easily overridden when necessary.
> > >>>>
> > >>>> But the @WebListner is missing in the ControlEventListner class.
> Also,
> > >> I
> > >>> am
> > >>>> unable to override the session timeout in web.xml even after putting
> > >> the
> > >>>> @WebListner annotation in ControlEventListner class.
> > >>>>
> > >>>> Please let me know if this is a real issue or I am doing something
> > >> wrong?
> > >>>> Thanks & Regards
> > >>>> --
> > >>>> Deepak Nigam
> > >>>> HotWax Systems Pvt. Ltd.
> > >>>>
> >
>

> Thanks, Jacques and Girish.
>
> Yes, it makes sense to get back to web.xml for the session timeout value.
>
> On Fri, Jan 11, 2019 at 11:13 AM Girish Vasmatkar <
> [hidden email]> wrote:
>
>> Hi Jacques
>>
>> Yes, we should put back the session timeout declaration in web.xml. Given
>> the fact that we can always mix web.xml and Annotation based configuration,
>> it only makes sense to let web.xml decide the session timeout and even if
>> we have the session listener (via web.xml declaration or Annotation), we
>> should not programatically try to override the setting.
>>
>> Thanks and Regards,
>> Girish
>>
>>
>> On Thu, Jan 10, 2019 at 7:14 PM Jacques Le Roux <
>> [hidden email]> wrote:
>>
>>> Hi Deepak, Girish,
>>>
>>> I had a look at the issue. The specifications of Java Servlet
>>> Specification 3.0 don't include an annotation to change the session time
>>> out.
>>>
>>>      https://www.baeldung.com/servlet-session-timeout
>>>
>>>
>> https://stackoverflow.com/questions/20389833/session-timeout-config-with-no-web-xml-file
>>> I think the best solution is to put back what we had before, ie set it to
>>> a value (it was 1 hour before) in all web.xml file and remove the
>>>
>>>      session.setMaxInactiveInterval(60*60); //in seconds
>>>
>>> line in ControlEventListener::sessionCreated
>>>
>>> I thought about keeping this line if a check to null for the session
>>> timeout value (from web.xml) was positive.
>>> But by default Tomcat sets it to 30 min (so it's never null) and it's
>>> possible but hard to change in OFBiz (eg to a known specific
>> extraordinary
>>> value
>>> that could be checked instead of null as above)
>>> So it could be confusing and anyway best practice is to prefer convention
>>> over configuration, even if in this case it's much redundant.
>>>
>>> I think we can reopen OFBIZ-6655 and handle it there, with an
>> explanation.
>>> Other ideas?
>>>
>>> Jacques
>>>
>>> Le 09/01/2019 à 10:11, Girish Vasmatkar a écrit :
>>>> Hi Deepak
>>>>
>>>> By the time sessionCreated is called in an HttpSessionListener, the
>>> session
>>>> has already been created. I am sure if you try to get the HttpSession
>>> from
>>>> the HttpSessionEvent object, it will have what you defined in
>>>> <session-timeout> tag.
>>>>
>>>> But the code is overriding the timeout using setMaxInactiveInterval to
>> 1
>>>> hour that is why it is looking like web.xml is not being given
>>>> precedence over programmatic session configuration.
>>>>
>>>> Whether web.xml takes precedence over annotation does not apply in this
>>>> case because anyway the session timeout value is being overridden by
>> the
>>>> code. The tomcat container definitely reads session-timeout from
>> web.xml
>>>> and assigns timeout for the session accordingly. But since a listener
>> is
>>>> configured for session lifecycle management, it invokes the method and
>>>> there the session value is being overridden.
>>>>
>>>> Try to set 2 minutes session timeout in web.xml and remove
>>>> session.setMaxInactiveInterval(60*60).
>>>> I would say you will be logged out after 2 minutes. If that is not the
>>>> case, pl let me know.
>>>>
>>>> I hope I understood your question and problem correctly.
>>>>
>>>> Best,
>>>> Girish
>>>>
>>>>
>>>>
>>>> On Wed, Jan 9, 2019 at 1:53 PM Deepak Nigam <
>> [hidden email]>
>>>> wrote:
>>>>
>>>>> Thanks, Jacques.
>>>>>
>>>>> Apart from the hardcoded thing, I am not able to override the session
>>>>> timeout value using <session-timeout> tag in web.xml.
>>>>>
>>>>> On Tue, Jan 8, 2019 at 1:55 PM Jacques Le Roux <
>>>>> [hidden email]>
>>>>> wrote:
>>>>>
>>>>>> Hi Deepak,
>>>>>>
>>>>>> You are right, it's hardcoded and should not. I have no time to go
>>>>> further
>>>>>> at the moment, but I'll ASAP
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Jacques
>>>>>>
>>>>>> Le 08/01/2019 à 06:10, Deepak Nigam a écrit :
>>>>>>> Hello all,
>>>>>>>
>>>>>>> I tried to set the session timeout for the 'ecommerce' and the
>>>>>>> 'webtools' components using <session-config> of web.xml, but unable
>> to
>>>>> do
>>>>>>> so. Session for the logged-in user remains active even after the set
>>>>>> time.
>>>>>>> On further research, I found that we did some changes in this area
>> in
>>>>> the
>>>>>>> ticket OFBIZ-6655 <https://issues.apache.org/jira/browse/OFBIZ-6655
>>> .
>>>>> We
>>>>>>> have hard coded the session timeout (1 hr) in the sessionCreated()
>>>>> method
>>>>>>> of ControlEventListner class. As per the comments in the Jira
>> ticket,
>>>>>>> session timeout declarations in web.xml have been removed by the use
>>>>>>> of @WebListner annotation. This is to avoid duplicates things
>>>>> everywhere
>>>>>> in
>>>>>>> web.xml files. Since the web.xml files have precedence on
>> annotations,
>>>>>> the
>>>>>>> setting can be easily overridden when necessary.
>>>>>>>
>>>>>>> But the @WebListner is missing in the ControlEventListner class.
>> Also,
>>>>> I
>>>>>> am
>>>>>>> unable to override the session timeout in web.xml even after putting
>>>>> the
>>>>>>> @WebListner annotation in ControlEventListner class.
>>>>>>>
>>>>>>> Please let me know if this is a real issue or I am doing something
>>>>> wrong?
>>>>>>> Thanks & Regards
>>>>>>> --
>>>>>>> Deepak Nigam
>>>>>>> HotWax Systems Pvt. Ltd.
>>>>>>>

> Thanks Guys,
>
> I'll do this afternoon using OFBIZ-6655
>
> Jacques
>
> Le 11/01/2019 à 07:03, Deepak Nigam a écrit :
>> Thanks, Jacques and Girish.
>>
>> Yes, it makes sense to get back to web.xml for the session timeout value.
>>
>> On Fri, Jan 11, 2019 at 11:13 AM Girish Vasmatkar <
>> [hidden email]> wrote:
>>
>>> Hi Jacques
>>>
>>> Yes, we should put back the session timeout declaration in web.xml. Given
>>> the fact that we can always mix web.xml and Annotation based configuration,
>>> it only makes sense to let web.xml decide the session timeout and even if
>>> we have the session listener (via web.xml declaration or Annotation), we
>>> should not programatically try to override the setting.
>>>
>>> Thanks and Regards,
>>> Girish
>>>
>>>
>>> On Thu, Jan 10, 2019 at 7:14 PM Jacques Le Roux <
>>> [hidden email]> wrote:
>>>
>>>> Hi Deepak, Girish,
>>>>
>>>> I had a look at the issue. The specifications of Java Servlet
>>>> Specification 3.0 don't include an annotation to change the session time
>>>> out.
>>>>
>>>>      https://www.baeldung.com/servlet-session-timeout
>>>>
>>>>
>>> https://stackoverflow.com/questions/20389833/session-timeout-config-with-no-web-xml-file
>>>> I think the best solution is to put back what we had before, ie set it to
>>>> a value (it was 1 hour before) in all web.xml file and remove the
>>>>
>>>>      session.setMaxInactiveInterval(60*60); //in seconds
>>>>
>>>> line in ControlEventListener::sessionCreated
>>>>
>>>> I thought about keeping this line if a check to null for the session
>>>> timeout value (from web.xml) was positive.
>>>> But by default Tomcat sets it to 30 min (so it's never null) and it's
>>>> possible but hard to change in OFBiz (eg to a known specific
>>> extraordinary
>>>> value
>>>> that could be checked instead of null as above)
>>>> So it could be confusing and anyway best practice is to prefer convention
>>>> over configuration, even if in this case it's much redundant.
>>>>
>>>> I think we can reopen OFBIZ-6655 and handle it there, with an
>>> explanation.
>>>> Other ideas?
>>>>
>>>> Jacques
>>>>
>>>> Le 09/01/2019 à 10:11, Girish Vasmatkar a écrit :
>>>>> Hi Deepak
>>>>>
>>>>> By the time sessionCreated is called in an HttpSessionListener, the
>>>> session
>>>>> has already been created. I am sure if you try to get the HttpSession
>>>> from
>>>>> the HttpSessionEvent object, it will have what you defined in
>>>>> <session-timeout> tag.
>>>>>
>>>>> But the code is overriding the timeout using setMaxInactiveInterval to
>>> 1
>>>>> hour that is why it is looking like web.xml is not being given
>>>>> precedence over programmatic session configuration.
>>>>>
>>>>> Whether web.xml takes precedence over annotation does not apply in this
>>>>> case because anyway the session timeout value is being overridden by
>>> the
>>>>> code. The tomcat container definitely reads session-timeout from
>>> web.xml
>>>>> and assigns timeout for the session accordingly. But since a listener
>>> is
>>>>> configured for session lifecycle management, it invokes the method and
>>>>> there the session value is being overridden.
>>>>>
>>>>> Try to set 2 minutes session timeout in web.xml and remove
>>>>> session.setMaxInactiveInterval(60*60).
>>>>> I would say you will be logged out after 2 minutes. If that is not the
>>>>> case, pl let me know.
>>>>>
>>>>> I hope I understood your question and problem correctly.
>>>>>
>>>>> Best,
>>>>> Girish
>>>>>
>>>>>
>>>>>
>>>>> On Wed, Jan 9, 2019 at 1:53 PM Deepak Nigam <
>>> [hidden email]>
>>>>> wrote:
>>>>>
>>>>>> Thanks, Jacques.
>>>>>>
>>>>>> Apart from the hardcoded thing, I am not able to override the session
>>>>>> timeout value using <session-timeout> tag in web.xml.
>>>>>>
>>>>>> On Tue, Jan 8, 2019 at 1:55 PM Jacques Le Roux <
>>>>>> [hidden email]>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi Deepak,
>>>>>>>
>>>>>>> You are right, it's hardcoded and should not. I have no time to go
>>>>>> further
>>>>>>> at the moment, but I'll ASAP
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>> Jacques
>>>>>>>
>>>>>>> Le 08/01/2019 à 06:10, Deepak Nigam a écrit :
>>>>>>>> Hello all,
>>>>>>>>
>>>>>>>> I tried to set the session timeout for the 'ecommerce' and the
>>>>>>>> 'webtools' components using <session-config> of web.xml, but unable
>>> to
>>>>>> do
>>>>>>>> so. Session for the logged-in user remains active even after the set
>>>>>>> time.
>>>>>>>> On further research, I found that we did some changes in this area
>>> in
>>>>>> the
>>>>>>>> ticket OFBIZ-6655 <https://issues.apache.org/jira/browse/OFBIZ-6655
>>>> .
>>>>>> We
>>>>>>>> have hard coded the session timeout (1 hr) in the sessionCreated()
>>>>>> method
>>>>>>>> of ControlEventListner class. As per the comments in the Jira
>>> ticket,
>>>>>>>> session timeout declarations in web.xml have been removed by the use
>>>>>>>> of @WebListner annotation. This is to avoid duplicates things
>>>>>> everywhere
>>>>>>> in
>>>>>>>> web.xml files. Since the web.xml files have precedence on
>>> annotations,
>>>>>>> the
>>>>>>>> setting can be easily overridden when necessary.
>>>>>>>>
>>>>>>>> But the @WebListner is missing in the ControlEventListner class.
>>> Also,
>>>>>> I
>>>>>>> am
>>>>>>>> unable to override the session timeout in web.xml even after putting
>>>>>> the
>>>>>>>> @WebListner annotation in ControlEventListner class.
>>>>>>>>
>>>>>>>> Please let me know if this is a real issue or I am doing something
>>>>>> wrong?
>>>>>>>> Thanks & Regards
>>>>>>>> --
>>>>>>>> Deepak Nigam
>>>>>>>> HotWax Systems Pvt. Ltd.
>>>>>>>>
>

> Hi Guys,
>
> Done, please double-check that I have not missed a web.xml files
>
> Thanks
>
> Jacques
>
> Le 11/01/2019 à 11:34, Jacques Le Roux a écrit :
> > Thanks Guys,
> >
> > I'll do this afternoon using OFBIZ-6655
> >
> > Jacques
> >
> > Le 11/01/2019 à 07:03, Deepak Nigam a écrit :
> >> Thanks, Jacques and Girish.
> >>
> >> Yes, it makes sense to get back to web.xml for the session timeout
> value.
> >>
> >> On Fri, Jan 11, 2019 at 11:13 AM Girish Vasmatkar <
> >> [hidden email]> wrote:
> >>
> >>> Hi Jacques
> >>>
> >>> Yes, we should put back the session timeout declaration in web.xml.
> Given
> >>> the fact that we can always mix web.xml and Annotation based
> configuration,
> >>> it only makes sense to let web.xml decide the session timeout and even
> if
> >>> we have the session listener (via web.xml declaration or Annotation),
> we
> >>> should not programatically try to override the setting.
> >>>
> >>> Thanks and Regards,
> >>> Girish
> >>>
> >>>
> >>> On Thu, Jan 10, 2019 at 7:14 PM Jacques Le Roux <
> >>> [hidden email]> wrote:
> >>>
> >>>> Hi Deepak, Girish,
> >>>>
> >>>> I had a look at the issue. The specifications of Java Servlet
> >>>> Specification 3.0 don't include an annotation to change the session
> time
> >>>> out.
> >>>>
> >>>>      https://www.baeldung.com/servlet-session-timeout
> >>>>
> >>>>
> >>>
> https://stackoverflow.com/questions/20389833/session-timeout-config-with-no-web-xml-file
> >>>> I think the best solution is to put back what we had before, ie set
> it to
> >>>> a value (it was 1 hour before) in all web.xml file and remove the
> >>>>
> >>>>      session.setMaxInactiveInterval(60*60); //in seconds
> >>>>
> >>>> line in ControlEventListener::sessionCreated
> >>>>
> >>>> I thought about keeping this line if a check to null for the session
> >>>> timeout value (from web.xml) was positive.
> >>>> But by default Tomcat sets it to 30 min (so it's never null) and it's
> >>>> possible but hard to change in OFBiz (eg to a known specific
> >>> extraordinary
> >>>> value
> >>>> that could be checked instead of null as above)
> >>>> So it could be confusing and anyway best practice is to prefer
> convention
> >>>> over configuration, even if in this case it's much redundant.
> >>>>
> >>>> I think we can reopen OFBIZ-6655 and handle it there, with an
> >>> explanation.
> >>>> Other ideas?
> >>>>
> >>>> Jacques
> >>>>
> >>>> Le 09/01/2019 à 10:11, Girish Vasmatkar a écrit :
> >>>>> Hi Deepak
> >>>>>
> >>>>> By the time sessionCreated is called in an HttpSessionListener, the
> >>>> session
> >>>>> has already been created. I am sure if you try to get the HttpSession
> >>>> from
> >>>>> the HttpSessionEvent object, it will have what you defined in
> >>>>> <session-timeout> tag.
> >>>>>
> >>>>> But the code is overriding the timeout using setMaxInactiveInterval
> to
> >>> 1
> >>>>> hour that is why it is looking like web.xml is not being given
> >>>>> precedence over programmatic session configuration.
> >>>>>
> >>>>> Whether web.xml takes precedence over annotation does not apply in
> this
> >>>>> case because anyway the session timeout value is being overridden by
> >>> the
> >>>>> code. The tomcat container definitely reads session-timeout from
> >>> web.xml
> >>>>> and assigns timeout for the session accordingly. But since a listener
> >>> is
> >>>>> configured for session lifecycle management, it invokes the method
> and
> >>>>> there the session value is being overridden.
> >>>>>
> >>>>> Try to set 2 minutes session timeout in web.xml and remove
> >>>>> session.setMaxInactiveInterval(60*60).
> >>>>> I would say you will be logged out after 2 minutes. If that is not
> the
> >>>>> case, pl let me know.
> >>>>>
> >>>>> I hope I understood your question and problem correctly.
> >>>>>
> >>>>> Best,
> >>>>> Girish
> >>>>>
> >>>>>
> >>>>>
> >>>>> On Wed, Jan 9, 2019 at 1:53 PM Deepak Nigam <
> >>> [hidden email]>
> >>>>> wrote:
> >>>>>
> >>>>>> Thanks, Jacques.
> >>>>>>
> >>>>>> Apart from the hardcoded thing, I am not able to override the
> session
> >>>>>> timeout value using <session-timeout> tag in web.xml.
> >>>>>>
> >>>>>> On Tue, Jan 8, 2019 at 1:55 PM Jacques Le Roux <
> >>>>>> [hidden email]>
> >>>>>> wrote:
> >>>>>>
> >>>>>>> Hi Deepak,
> >>>>>>>
> >>>>>>> You are right, it's hardcoded and should not. I have no time to go
> >>>>>> further
> >>>>>>> at the moment, but I'll ASAP
> >>>>>>>
> >>>>>>> Thanks
> >>>>>>>
> >>>>>>> Jacques
> >>>>>>>
> >>>>>>> Le 08/01/2019 à 06:10, Deepak Nigam a écrit :
> >>>>>>>> Hello all,
> >>>>>>>>
> >>>>>>>> I tried to set the session timeout for the 'ecommerce' and the
> >>>>>>>> 'webtools' components using <session-config> of web.xml, but
> unable
> >>> to
> >>>>>> do
> >>>>>>>> so. Session for the logged-in user remains active even after the
> set
> >>>>>>> time.
> >>>>>>>> On further research, I found that we did some changes in this area
> >>> in
> >>>>>> the
> >>>>>>>> ticket OFBIZ-6655 <
> https://issues.apache.org/jira/browse/OFBIZ-6655
> >>>> .
> >>>>>> We
> >>>>>>>> have hard coded the session timeout (1 hr) in the sessionCreated()
> >>>>>> method
> >>>>>>>> of ControlEventListner class. As per the comments in the Jira
> >>> ticket,
> >>>>>>>> session timeout declarations in web.xml have been removed by the
> use
> >>>>>>>> of @WebListner annotation. This is to avoid duplicates things
> >>>>>> everywhere
> >>>>>>> in
> >>>>>>>> web.xml files. Since the web.xml files have precedence on
> >>> annotations,
> >>>>>>> the
> >>>>>>>> setting can be easily overridden when necessary.
> >>>>>>>>
> >>>>>>>> But the @WebListner is missing in the ControlEventListner class.
> >>> Also,
> >>>>>> I
> >>>>>>> am
> >>>>>>>> unable to override the session timeout in web.xml even after
> putting
> >>>>>> the
> >>>>>>>> @WebListner annotation in ControlEventListner class.
> >>>>>>>>
> >>>>>>>> Please let me know if this is a real issue or I am doing something
> >>>>>> wrong?
> >>>>>>>> Thanks & Regards
> >>>>>>>> --
> >>>>>>>> Deepak Nigam
> >>>>>>>> HotWax Systems Pvt. Ltd.
> >>>>>>>>
> >
>

> Hi Jacques,
>
> On double checking, I found that
> /applications/marketing/webapp/marketing/WEB-INF/web.xml and
> /applications/party/webapp/partymgr/WEB-INF/web.xml files have been missed.
> Apart from that, I think we need to work for web.xml of various plugins
> also.
>
> Thanks & Regards
> --
> Deepak Nigam
> HotWax Systems Pvt. Ltd
>
>
> On Fri, Jan 11, 2019 at 9:58 PM Jacques Le Roux <
> [hidden email]> wrote:
>
>> Hi Guys,
>>
>> Done, please double-check that I have not missed a web.xml files
>>
>> Thanks
>>
>> Jacques
>>
>> Le 11/01/2019 à 11:34, Jacques Le Roux a écrit :
>>> Thanks Guys,
>>>
>>> I'll do this afternoon using OFBIZ-6655
>>>
>>> Jacques
>>>
>>> Le 11/01/2019 à 07:03, Deepak Nigam a écrit :
>>>> Thanks, Jacques and Girish.
>>>>
>>>> Yes, it makes sense to get back to web.xml for the session timeout
>> value.
>>>> On Fri, Jan 11, 2019 at 11:13 AM Girish Vasmatkar <
>>>> [hidden email]> wrote:
>>>>
>>>>> Hi Jacques
>>>>>
>>>>> Yes, we should put back the session timeout declaration in web.xml.
>> Given
>>>>> the fact that we can always mix web.xml and Annotation based
>> configuration,
>>>>> it only makes sense to let web.xml decide the session timeout and even
>> if
>>>>> we have the session listener (via web.xml declaration or Annotation),
>> we
>>>>> should not programatically try to override the setting.
>>>>>
>>>>> Thanks and Regards,
>>>>> Girish
>>>>>
>>>>>
>>>>> On Thu, Jan 10, 2019 at 7:14 PM Jacques Le Roux <
>>>>> [hidden email]> wrote:
>>>>>
>>>>>> Hi Deepak, Girish,
>>>>>>
>>>>>> I had a look at the issue. The specifications of Java Servlet
>>>>>> Specification 3.0 don't include an annotation to change the session
>> time
>>>>>> out.
>>>>>>
>>>>>>       https://www.baeldung.com/servlet-session-timeout
>>>>>>
>>>>>>
>> https://stackoverflow.com/questions/20389833/session-timeout-config-with-no-web-xml-file
>>>>>> I think the best solution is to put back what we had before, ie set
>> it to
>>>>>> a value (it was 1 hour before) in all web.xml file and remove the
>>>>>>
>>>>>>       session.setMaxInactiveInterval(60*60); //in seconds
>>>>>>
>>>>>> line in ControlEventListener::sessionCreated
>>>>>>
>>>>>> I thought about keeping this line if a check to null for the session
>>>>>> timeout value (from web.xml) was positive.
>>>>>> But by default Tomcat sets it to 30 min (so it's never null) and it's
>>>>>> possible but hard to change in OFBiz (eg to a known specific
>>>>> extraordinary
>>>>>> value
>>>>>> that could be checked instead of null as above)
>>>>>> So it could be confusing and anyway best practice is to prefer
>> convention
>>>>>> over configuration, even if in this case it's much redundant.
>>>>>>
>>>>>> I think we can reopen OFBIZ-6655 and handle it there, with an
>>>>> explanation.
>>>>>> Other ideas?
>>>>>>
>>>>>> Jacques
>>>>>>
>>>>>> Le 09/01/2019 à 10:11, Girish Vasmatkar a écrit :
>>>>>>> Hi Deepak
>>>>>>>
>>>>>>> By the time sessionCreated is called in an HttpSessionListener, the
>>>>>> session
>>>>>>> has already been created. I am sure if you try to get the HttpSession
>>>>>> from
>>>>>>> the HttpSessionEvent object, it will have what you defined in
>>>>>>> <session-timeout> tag.
>>>>>>>
>>>>>>> But the code is overriding the timeout using setMaxInactiveInterval
>> to
>>>>> 1
>>>>>>> hour that is why it is looking like web.xml is not being given
>>>>>>> precedence over programmatic session configuration.
>>>>>>>
>>>>>>> Whether web.xml takes precedence over annotation does not apply in
>> this
>>>>>>> case because anyway the session timeout value is being overridden by
>>>>> the
>>>>>>> code. The tomcat container definitely reads session-timeout from
>>>>> web.xml
>>>>>>> and assigns timeout for the session accordingly. But since a listener
>>>>> is
>>>>>>> configured for session lifecycle management, it invokes the method
>> and
>>>>>>> there the session value is being overridden.
>>>>>>>
>>>>>>> Try to set 2 minutes session timeout in web.xml and remove
>>>>>>> session.setMaxInactiveInterval(60*60).
>>>>>>> I would say you will be logged out after 2 minutes. If that is not
>> the
>>>>>>> case, pl let me know.
>>>>>>>
>>>>>>> I hope I understood your question and problem correctly.
>>>>>>>
>>>>>>> Best,
>>>>>>> Girish
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Wed, Jan 9, 2019 at 1:53 PM Deepak Nigam <
>>>>> [hidden email]>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Thanks, Jacques.
>>>>>>>>
>>>>>>>> Apart from the hardcoded thing, I am not able to override the
>> session
>>>>>>>> timeout value using <session-timeout> tag in web.xml.
>>>>>>>>
>>>>>>>> On Tue, Jan 8, 2019 at 1:55 PM Jacques Le Roux <
>>>>>>>> [hidden email]>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Hi Deepak,
>>>>>>>>>
>>>>>>>>> You are right, it's hardcoded and should not. I have no time to go
>>>>>>>> further
>>>>>>>>> at the moment, but I'll ASAP
>>>>>>>>>
>>>>>>>>> Thanks
>>>>>>>>>
>>>>>>>>> Jacques
>>>>>>>>>
>>>>>>>>> Le 08/01/2019 à 06:10, Deepak Nigam a écrit :
>>>>>>>>>> Hello all,
>>>>>>>>>>
>>>>>>>>>> I tried to set the session timeout for the 'ecommerce' and the
>>>>>>>>>> 'webtools' components using <session-config> of web.xml, but
>> unable
>>>>> to
>>>>>>>> do
>>>>>>>>>> so. Session for the logged-in user remains active even after the
>> set
>>>>>>>>> time.
>>>>>>>>>> On further research, I found that we did some changes in this area
>>>>> in
>>>>>>>> the
>>>>>>>>>> ticket OFBIZ-6655 <
>> https://issues.apache.org/jira/browse/OFBIZ-6655
>>>>>> .
>>>>>>>> We
>>>>>>>>>> have hard coded the session timeout (1 hr) in the sessionCreated()
>>>>>>>> method
>>>>>>>>>> of ControlEventListner class. As per the comments in the Jira
>>>>> ticket,
>>>>>>>>>> session timeout declarations in web.xml have been removed by the
>> use
>>>>>>>>>> of @WebListner annotation. This is to avoid duplicates things
>>>>>>>> everywhere
>>>>>>>>> in
>>>>>>>>>> web.xml files. Since the web.xml files have precedence on
>>>>> annotations,
>>>>>>>>> the
>>>>>>>>>> setting can be easily overridden when necessary.
>>>>>>>>>>
>>>>>>>>>> But the @WebListner is missing in the ControlEventListner class.
>>>>> Also,
>>>>>>>> I
>>>>>>>>> am
>>>>>>>>>> unable to override the session timeout in web.xml even after
>> putting
>>>>>>>> the
>>>>>>>>>> @WebListner annotation in ControlEventListner class.
>>>>>>>>>>
>>>>>>>>>> Please let me know if this is a real issue or I am doing something
>>>>>>>> wrong?
>>>>>>>>>> Thanks & Regards
>>>>>>>>>> --
>>>>>>>>>> Deepak Nigam
>>>>>>>>>> HotWax Systems Pvt. Ltd.
>>>>>>>>>>