1521012 – [GSS](6.4.z) default-session-timeout doesn't apply to apps containing session-config

Bug 1521012 - [GSS](6.4.z) default-session-timeout doesn't apply to apps containing session-config

Summary: [GSS](6.4.z) default-session-timeout doesn't apply to apps containing session...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	Web
Sub Component:
Version:	6.4.18
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	CR1
Target Release:	EAP 6.4.20
Assignee:	Aaron Ogburn
QA Contact:	Michael Cada
Docs Contact:
URL:	https://github.com/jbossas/jboss-eap/...
Whiteboard:
Depends On:
Blocks:	eap6420-payload
TreeView+	depends on / blocked

Reported:	2017-12-05 15:54 UTC by Aaron Ogburn
Modified:	2021-06-10 13:50 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-08-02 07:31:08 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)
bz1521012.war (1.14 KB, application/zip) 2017-12-05 15:56 UTC, Aaron Ogburn	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	3262011	0	None	None	None	2017-12-05 16:03:04 UTC

Description Aaron Ogburn 2017-12-05 15:54:38 UTC

Description of problem:

The default-session-timeout from the web subsystem does not apply to applications that contain a <session-config> in their web.xml (even if no session timeout is set in the web.xml).  The presence of the <session-config> results in the app having a SessionConfigMetaData with a default session timeout of 30 minutes that overrides the default-session-timeout set in the web subsystem.


Version-Release number of selected component (if applicable):


How reproducible:

Always


Steps to Reproduce:
1. Set a default-session-timeout:

        <subsystem xmlns="urn:jboss:domain:web:2.2" default-virtual-server="default-host" native="false" default-session-timeout="15">


2. Deploy an app with the following in its web.xml (for example, the attached war):

    <session-config>
        <cookie-config>
        <http-only>true</http-only>
        </cookie-config>
    </session-config>

3. Check that the session timeout is 30 minutes instead of 15 (easily done by requesting the attached app's index.jsp)

Actual results:

default-session-timeout does not apply


Expected results:

default-session-timeout does apply


Additional info:

Note that default-session-timeout does apply in this case on EAP 7

Comment 1 Aaron Ogburn 2017-12-05 15:56:14 UTC

Created attachment 1363253 [details]
bz1521012.war

Comment 4 Jiří Bílek 2018-04-27 12:00:08 UTC

Regression tests passed
Verified with EAP 6.4.20.CP.CR1

Note You need to log in before you can comment on or make changes to this bug.