如何在Tomcat中配置应用程序会话的最大持续时间? [英] How to configure a maximum duration of an application session in Tomcat?

问题描述

我需要将Tomcat中应用程序会话的最大持续时间配置为24小时.

I need to configure a maximum duration of an application session in Tomcat to 24 hours.

我无法在文档中找到合适的配置:

I was not able to find the appropriate configuration in the documentation:

https://tomcat.apache.org/tomcat-8.5 -doc/config/http.html

(SSLHostConfig有sessionTimeout，但我需要Connector配置；我们在Tomcat之前终止WebServer中的SSL连接，但由Tomcat处理会话管理.)

(There is sessionTimeout for SSLHostConfig but I need the Connector configuration; We terminate the SSL connection in the WebServer before Tomcat but the session management handled by Tomcat.)

已添加

我们已经处理了会话过期超时( Tomcat会话超时web.xml )

We already handled the session expiration timeout (Tomcat Session Timeout web.xml).

最大持续时间超时意味着即使用户在所有时间内都处于活动状态，其应用程序会话也将在最大持续时间超时之后失效.

The maximum duration timeout means that even the user active during all time its application session will be invalidated after the maximum duration timeout.

推荐答案

HttpSessionListener仅通知会话的创建和销毁，但不会在每个页面请求上调用.

HttpSessionListener will only notify session creation and destruction but won't be invoked on each page request.

我将实现一个过滤器来检查会话的创建时间，并使会话无效，并设置标头或重定向.

I'd implement a filter to check on session creation time and invalidate the session plus set headers or redirect.

在web.xml中添加:

In web.xml add:

<filter>
    <filter-name>Max Session Duration</filter-name>
    <filter-class>com.your.package.MaxSessionDurationFilter</filter-class>
    <init-param>
        <!-- Maximum session duration in hours -->
        <param-name>maxduration</param-name>
        <param-value>24</param-value>
    </init-param>
</filter>

和类似的映射

<filter-mapping>
  <filter-name>Max Session Duration</filter-name>
  <url-pattern>*.jsp</url-pattern>
</filter-mapping>

然后，过滤器的实现类似于:

Then the filter implementation is like:

package com.your.package;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class MaxSessionDurationFilter implements Filter {

    private final long oneHourMillis = 1000*60*60;

    private long maxDuration;

    private FilterConfig filterConfig;

    @Override
    public void init(FilterConfig fc) throws ServletException {
        filterConfig = fc;
        maxDuration = Long.parseLong(filterConfig.getInitParameter("maxduration"));
    }

    @Override
    public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain)
        throws IOException, ServletException {
        HttpServletRequest httpReq = (HttpServletRequest) req;
        HttpServletResponse httpResp = (HttpServletResponse) resp;
        final long creationTime = httpReq.getSession().getCreationTime();
        final long currentTime = System.currentTimeMillis();
        if (currentTime-creationTime > maxDuration*oneHourMillis) {
            httpReq.getSession().invalidate();
            // Could also set headers to 403 forbidden
            // httpResp.setStatus(HttpServletResponse.SC_FORBIDDEN);
            httpResp.sendRedirect("expiredsession.jsp");
        } else {
            chain.doFilter(req, resp);
        }
    }

    @Override
    public void destroy() { }

}

这篇关于如何在Tomcat中配置应用程序会话的最大持续时间?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！