is there a possibility to avoid or forbid a client refresh if a session timeout occured?
My problem is that we log in to the server with a client certificate (tomcat handles the authentication process) and if the session timed out the user will be logged in again automatically. But that is a security problem since the user may already had left his desk. If there would be no automatically refresh and no chance to refresh over a button that would be very helpfull
...but the relogon is done with a new session. Couldn't you react accordingly - by e.g. finding out that the session is not authorized yet?
Answer to your question: you can setup an own "Error Screen" by registering an implementation of interface "ILocalErrorScreenProvider" (This is is a client interface.). The error screen is just a normal XML page. The default implementation is DefaultErrorScreenProvider.