SEC-1379: Added creation of a session if session timeout is detected (requested session ID is invalid).

This prevents problems with repeated detection of the same invalid session when the redirected request comes in.
This commit is contained in:
Luke Taylor 2010-01-23 00:10:32 +00:00
parent d931495c8a
commit 0974e21fb6
3 changed files with 16 additions and 2 deletions

View File

@ -33,7 +33,7 @@
<x509 />
-->
<!-- Uncomment to limit the number of sessions a user can have -->
<session-management invalid-session-url="/something">
<session-management invalid-session-url="/timeout.jsp">
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>

View File

@ -0,0 +1,13 @@
<%@page session="false" %>
<%@ taglib prefix="c" uri="http://java.sun.com/jstl/core_rt"%>
<html>
<title>Session Timeout</title>
<body>
<h2>Invalid Session</h2>
<p>
Your session appears to have timed out. Please <a href="<c:url value='/'/>">start again</a>.
</p>
</body>
</html>

View File

@ -84,7 +84,8 @@ public class SessionManagementFilter extends GenericFilterBean {
logger.debug("Requested session ID" + request.getRequestedSessionId() + " is invalid.");
if (invalidSessionUrl != null) {
logger.debug("Redirecting to '" + invalidSessionUrl + "'");
logger.debug("Starting new session (if required) and redirecting to '" + invalidSessionUrl + "'");
request.getSession();
redirectStrategy.sendRedirect(request, response, invalidSessionUrl);
return;