Affects Version/s: None
Fix Version/s: None
We want these two things to be true:
1)if the web socket is a protected resource in the web application, that is to say, required an authorized user to access it, and the user explicitly invalidates the HttpSession, the websocket implementation must close the web socket connection immediately
2) if the user of the web application is actively using the web sockets within the web application, but does not access any of the web resources, the web socket implementation must keep the HttpSession from timing out (TBD This a request to the servlet specification).
This is because authentication state is carried in the Http Session.
But what about the unauthenticated case ? Does an explicit invalidate need to close the web sockets ? Does a timeout matter ?