Please sign in to comment.
FIX: Make session timeout inactive-time only.
By default, the Session.timeout configuration option specifies the total session time, regardless of the amount of activity. This change means that the timeout specifies how long without any further dynamic requests before the session cookie expires. The way it does this is to re-set the session cookie expiry with a subsequent Set-Cookie command each time a request that necessitates a session is called. Strictly speaking, it's a change in session timeout semantics, but I think it's a good one, because total-session-time-regardless-of-activity is a stupid timeout to include, and has more to do with the mechanics of the internet than with application security requirements.
- Loading branch information...