> By "session times out", are you referring to some internal application time out, or the container based session timeout?
This is the container-based timeout. I'm not mucking with sessions at all other than to require/use them. The app server is right now conducting all session functionality. What seems to be happening when a user leaves their browser open for longer than the session timeout period on the server is the following:
1) User performs action in GUI causing server call back (AJAX or full JSF Navigation)
2) Server sees request with expired session ID
3) Server serves up my specified login form
4) User enters credentials and submits
5) Server successfully authenticates user
6) Server seems to use old session ID (instead of what should have been a new session id from step 5) to request the original action from step 1
7) Server gives the user a page reporting session expiration right after user successfully logs in.
> If it's an application timeout, are you invalidating the session? Invalidating a session seems to be a good way to destroy the authentication and "log out".
This is the part that is confusing. It seems like the appserver should setup a new valid session after the login--but it doesn't seem to be.
[Message sent by forum member 'jrobey' (jrobey)]
http://forums.java.net/jive/thread.jspa?messageID=299478