This is a guess as you haven't given information on what was happening before the timeout.
I imagine you are in a protected area moving from page to page and your session times out. You try to go to the next page which is protected. You need to log in first, try to go to that page and then get redirected to the timeout page? Just a hypothesis.
Correct. I can't seem find a way around the issue.
The other issue with session timeout routing is on a POST. A person enters some data, is called away, and then comes back and pushes the button. The user is reauthenticated and then an attempt is made to validate the data entered. However, the data is not saved on a POST and all the validation fails. I can't find a way to intercept the system directing the user pack to the form. Since their data is gone, I would like to direct them to a neutral page and make them start over again.
When you need to do complex things with authentications and sessions, you sometimes have to resort to doing things your own way. By this, I mean that you have to abandon form-based authentication, or other automatic authentication and employ your own framework.
We have done this with our applications to achieve custom logons, and redirections to various pages indicating to the user what has happened. It means that for every page, you need to check for valid sessions and redirect accordingly. But you have fine-grained control over incorrect password entries, session-timeouts and you also have control over session recovery. So you have to weigh up the coding cost over the control.
I'm getting similar strange behaviour which I believe is associated with session timeout.
Is there any progress in this area? I can't believe this isn't handled properly.
I need to do some more research, but if anyone as some light to put on this....
I'm using JBoss 3.2.3 and with Tomcat4.1 bundle (Coyote connector).
Further investigation revealed a bug in my code :-)
Inspite of my bug fix, I am left with the scenario outlined by dutchman_mn in his second post in this thread.
Hmm... HttpSessionListener looks interesting...