The server (at least Tomcat does) hides the difference between requests made directly by the browser and requests delayed and replayed through the authentication process. The difficulty with this is that in one case, the response is being delivered to a POST made by XMLHttpRequest, and in the other case the response is being delivered by a browser redirecting with a full page GET.

What appears to be workable is to add a special case for session expired being "browser readable" and taking the form of a redirect request to the expiry page (as sent from the server, not just as a redirect performed by the JavaScript bridge). For instance (diff has been edited so line numbers are not valid) the following seems to work as desired on tomcat:

===================================================================
— src/com/icesoft/faces/webapp/http/core/RequestVerifier.java (revision 19235)
+++ src/com/icesoft/faces/webapp/http/core/RequestVerifier.java (working copy)
@@ -3,6 +3,7 @@
import com.icesoft.faces.webapp.http.common.Request;
import com.icesoft.faces.webapp.http.common.Server;
import com.icesoft.faces.webapp.http.common.standard.EmptyResponse;
+import com.icesoft.faces.webapp.http.common.Configuration;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

@@ -10,10 +11,19 @@

public class RequestVerifier implements Server {
private final static Log log = LogFactory.getLog(RequestVerifier.class);
+ private Configuration configuration;
private String sessionID;
private Server server;

• public RequestVerifier(String sessionID, Server server)
  Unknown macro: {+ public RequestVerifier(Configuration configuration, String sessionID, Server server) { + this.configuration = configuration; this.sessionID = sessionID; this.server = server; }@@ -28,7 +38,8 @@ server.service(request); }

  else

  { log.debug("Missmatched 'ice.session' value. Session has expired."); - request.respondWith(SessionExpiredResponse.Handler); + request.respondWith(SessionExpiredResponse.getRedirectingHandler(configuration.getAttribute("sessionExpiredRedirectURI"))); +// request.respondWith(SessionExpiredResponse.Handler); }

  } else

  Unknown macro: { if( log.isDebugEnabled() ){ Index: src/com/icesoft/faces/webapp/http/core/SessionExpiredResponse.java =================================================================== --- src/com/icesoft/faces/webapp/http/core/SessionExpiredResponse.java (revision 19235) +++ src/com/icesoft/faces/webapp/http/core/SessionExpiredResponse.java (working copy) @@ -1,6 +1,8 @@ package com.icesoft.faces.webapp.http.core; import com.icesoft.faces.webapp.command.Command; +import com.icesoft.faces.webapp.http.common.Response; +import com.icesoft.faces.webapp.http.common.ResponseHandler; import com.icesoft.faces.webapp.http.common.standard.FixedXMLContentHandler; import java.io.IOException; @@ -14,4 +16,14 @@ SessionExpiredCommand.serializeTo(writer); } }

  ;
  +
  + public static ResponseHandler getRedirectingHandler(final String redirectURI) {
  + ResponseHandler handler = new ResponseHandler()

  Unknown macro: {+ public void respond(Response response) throws Exception { + response.setStatus(302); + response.setHeader("Location", redirectURI); + }+ }

  ;
  + return handler;
  + }
  }
  Index: src/com/icesoft/faces/webapp/http/servlet/MainSessionBoundServlet.java
  ===================================================================

  • • src/com/icesoft/faces/webapp/http/servlet/MainSessionBoundServlet.java (revision 19235)
      +++ src/com/icesoft/faces/webapp/http/servlet/MainSessionBoundServlet.java (working copy)
      @@ -124,13 +124,13 @@
      receivePing = OKServer;
      } else { //setup blocking connection server - sendUpdatedViews = new RequestVerifier(sessionID, new PushServerDetector(session, sessionID, synchronouslyUpdatedViews, allUpdatedViews, monitorRunner, configuration, messageService, this)); - sendUpdates = new RequestVerifier(sessionID, new SendUpdates(configuration, views, this)); - receivePing = new RequestVerifier(sessionID, new ReceivePing(views, this)); + sendUpdatedViews = new RequestVerifier(configuration, sessionID, new PushServerDetector(session, sessionID, synchronouslyUpdatedViews, allUpdatedViews, monitorRunner, configuration, messageService, this)); + sendUpdates = new RequestVerifier(configuration, sessionID, new SendUpdates(configuration, views, this)); + receivePing = new RequestVerifier(configuration, sessionID, new ReceivePing(views, this)); }

Server upload = new UploadServer(views, configuration);

• Server receiveSendUpdates = new RequestVerifier(sessionID, new ReceiveSendUpdates(views, synchronouslyUpdatedViews, sessionMonitor, this));
  + Server receiveSendUpdates = new RequestVerifier(configuration, sessionID, new ReceiveSendUpdates(views, synchronouslyUpdatedViews, sessionMonitor, this));

dispatchOn(".*block\\/receive\\-updated
-views$", new EnvironmentAdaptingServlet(sendUpdatedViews, configuration, session.getServletContext()));
PathDispatcherServer dispatcherServer = new PathDispatcherServer();

Changed files supporting

<context-param>
<param-name>
com.icesoft.faces.sessionExpiredServerRedirect
</param-name>
<param-value>true</param-value>
</context-param>

Hello,

I see that this issue is still open and no progress was done since September 2009. Does this mean that the problem with Secured connection still exists?

Does the patch published above work? Please let me know. We just deployed on production with certificate based authentication and session keeps on expiring.

The above suggestion worked well in the test environment. Does your environment have different configuration?

Ok, I have the feeling that my situation is a bit more complicated... although it might be related somehow with this problem.

SSL connection works fine using 'direct internet' connection, but it keeps on expiring when I access the application through an http proxy. The public part works also behind the proxy, but not the secured. After some refresh I can do something, but the session expires very fast. Are you aware of any SSL + Proxy issue?