Why session not timeout

###Useful links Timeout settings in WAS

Java Session invalidate and timeout does not work

JSP login page session timeout

REST services basic auth session timeout

###Basic auth Steps

Briefly the basic authentication (rfc 2617) works like this:

1. Client requests some resource.

2. Server recognizes that the resource has a security constraint, in web.xml. Therefore it sends a HTTP 401 "Authorization required" response. The header contains something like...

   WWW-Authenticate: Basic realm="Protected"

3. The client resends its request, but this time with the credentials (base64-encoded) in the header, e.g. ...

   Authorization: Basic dG9tY2F0OnMzY3JIdA==

4. The server authenticates the request based on the given credentials and sends the requested resource.

In order to make web browsing convenient for humans virtually every browser caches the credentials until the browser is closed. Every time you reload the page in the browser the "Authorization" entry is sent with the header of the request. Therefore you are not asked for your credentials again while testing your web service with a browser.

###Cyper's attempt

1. Input user/pass from the dialog, browser will add below request header +Authorization Basic bGdpbG1vcmVAYXUxLmlibS5bG1vcS5jb20=

2. If you request the page for 2nd time(browser will add JSESSIONID in Cookie header) Authorization Basic bGdpbG1vcmVAYXUxLmlibS5jb206cmVAYXUxLmlibS5jb20= + JSESSIONID=00009RNA9pcLQSi1OHhiWQOmwLx:-1; + CookieChecker=set; + CMAVID=none; + cmTPSet=Y; + 51040000_clogin=l=1425356444&v=1&e=1425358246064

   Note this JSESSIONID is generated and sent from server in response header like this Set-Cookie:JSESSIONID=00009RNA9pcLQSi1OHhiWQOmwLx:-1; Path=/; HttpOnly

   Also note that for Basic auth, browser will send credential information in the header for each and every request.

3. When timeout, server execute request.getRemoteUser() and re-login this user automatically, and sent a New JESSIONID to user browser by including below header. Set-Cookie JSESSIONID=0000O0OB4W_4sxtn6elSmolMxI9:-1; Path=/; HttpOnly

4. Browser updates the JESSIONID in its cookie and will send back this cookie each time in the consequent request.

5. If you want to expire the Basic auth, you need to remove Authorization header from browser request, here is the method:

In Firefox you can choose Clear Recent History from the History menu (Ctrl + Shift + Del). You can then select to just clear Active Logins from the details to just clear those sessions.

###Login directly in the browser without the popup dialog. We can use blow url:

https://user:pass@www.example.com/mygroups.wss

see superuser

###How request.getRemoteUser() works See stackoverflow

In cyper's opinion, what it does in the Clear Active Logins, is to remove Authorization header from user browser, the JSESSIONID is not removed from Cookie actually.

###Final Solution:###

1. Check session object from SecurityInterceptor.java

   if session object is null, it either means it's a request from a new client or it may be a request from an existing client but expired(session timeout)

2. Identify it's new client or expired

   Request from a new client does not include JSESSIONID in its cookie.

   1. If system can't find JSESSIONID from user's cookie, we take it as new client and check request.getRemoteUser() further, if the latter returns null: You are not logged in, please login first. Otherwise, login this user and do authentication further.

   2. If JSESSIONID from Cookie header exists but session is null: Your session is expired, please relogin.

3. If session object is not null, go check authentication directly.