CODEWITHSUNDEEP
jspjakarta-eetomcat
Neeraj
Neeraj

Reputation: 155

HTTP Status 408 error with tomcat form based authentication

My application is written in JSP and has Form based authentication. I am using Apache and Tomcat 7.

Here is my problem:

Sometimes when session times out and when I try re-login to application, it displays the below 408 error message:

HTTP Status 408 - The time allowed for the login process has been exceeded. If you wish to continue you must either click back twice and re-click the link you requested or close and re-open your browser

Appreciated if somebody can help me to resolve this.

Upvotes: 7

Views: 10282

Answers (2)

johnl
johnl

Reputation: 234

Add a timer to refresh your login page after 25 minutes or so.
Something like:

<script>
setTimeout(function(){ location.reload(); },1000 * 60 * 25);
</script>

(make sure you have no-cache headers for your login-page, as well)

Explanation: When you are using the FORM auth-method, you also specify a yourLoginPage.jsp.

This page is then rendered by j_security_check. I believe that at the time the page is rendered, the page render time is being tracked via servlet-session. In other words, the security check expects that the time from rendering the login-page to the time of submitting the login page should occur within a reasonable time span. The default session timeout is 30 minutes for Tomcat, so set your login-page timeout to be less than 30 minutes, or less than your specified session timeout.

Upvotes: 0

Will Keeling
Will Keeling

Reputation: 23004

I think this is down to session cookie handling by Internet Explorer. Two possible solutions you can try.

1. Modify Internet Explorer cookie handling preferences

Click Tools -> Internet Options, then click on the Privacy tab, then the Advanced button. Check 'Override automatic cookie handling', then make sure first party and third party cookies are set to accept, and check 'Always allow session cookies'.

2. Add http-equiv meta tags to the generated HTML

<meta http-equiv="Cache-Control" content="no-store,no-cache,must-revalidate"> 
<meta http-equiv="Pragma" content="no-cache"> 
<meta http-equiv="Expires" content="-1">

Alternatively these can be added as headers directly to the response.

response.addHeader("Cache-Control", "no-store,no-cache,must-revalidate");
response.addHeader("Pragma", "no-cache");
response.addHeader("Expires", "-1");

Upvotes: 4

Related Questions