SessionTimeout: web.xml vs session.maxInactiveInterval()
Now, i'm being told that this will terminate the session (or is it all sessions?) in the 15th minute of use, regardless their activity.
This is wrong. It will just kill the session when the associated client (webbrowser) has not accessed the website for more than 15 minutes. The activity certainly counts, exactly as you initially expected, seeing your attempt to solve this.
The HttpSession#setMaxInactiveInterval()
doesn't change much here by the way. It does exactly the same as <session-timeout>
in web.xml
, with the only difference that you can change/set it programmatically during runtime. The change by the way only affects the current session instance, not globally (else it would have been a static
method).
To play around and experience this yourself, try to set <session-timeout>
to 1 minute and create a HttpSessionListener
like follows:
@WebListener
public class HttpSessionChecker implements HttpSessionListener {
public void sessionCreated(HttpSessionEvent event) {
System.out.printf("Session ID %s created at %s%n", event.getSession().getId(), new Date());
}
public void sessionDestroyed(HttpSessionEvent event) {
System.out.printf("Session ID %s destroyed at %s%n", event.getSession().getId(), new Date());
}
}
(if you're not on Servlet 3.0 yet and thus can't use @WebListener
, then register in web.xml
as follows):
<listener>
<listener-class>com.example.HttpSessionChecker</listener-class>
</listener>
Note that the servletcontainer won't immediately destroy sessions after exactly the timeout value. It's a background job which runs at certain intervals (e.g. 5~15 minutes depending on load and the servletcontainer make/type). So don't be surprised when you don't see destroyed
line in the console immediately after exactly one minute of inactivity. However, when you fire a HTTP request on a timed-out-but-not-destroyed-yet session, it will be destroyed immediately.
See also:
- How do servlets work? Instantiation, sessions, shared variables and multithreading
Difference between setting session timeouts using web.xml and setMaxInactiveInterval
Session timeout can be set on various levels:
- In the application server there is usually default settings, that can be changed - it is a default for all applications, or for given application (depending on server config capabilities).
- Then in the application descriptor - you can override it by using
web.xml
- it will be used for all sessions in the given application - Then in the application code - you can override it using
session.setMaxInactiveInterval()
, it will be overridden only for that session
As Roman wrote:
no matter how you set it, it is invalidated by the container when timeout expires.
You should rather avoid programmatic approach (last one), as it is easy to miss some session and it will get the default timeout, and you will have inconsistent behavior. Use web.xml
if you want to ensure given timeout (business requirement) and don't want to rely on server capabilities.
Related Topics
Generate JPA 2 Entities from Existing Database
Factorial Using Recursion in Java
How to Increase the Java Heap Size in Netbeans
Does Java Read Integers in Little Endian or Big Endian
Java: Calling a Super Method Which Calls an Overridden Method
Converting Little Endian to Big Endian
What Throws an Ioexception in Java
Why Dispatcherservlet Creates Another Application Context
How to Read an Aws S3 File with Java
JPA - Returning an Auto Generated Id After Persist()
How to Hide a Jframe in System Tray of Taskbar
Export PDF Pages to a Series of Images in Java
How to Configure Log4J with a Properties File
How to Handle Deserializing with Polymorphism
Jersey 2.X Custom Injection Annotation with Attributes
What Is the Equivalent of Java Static Final Fields in Kotlin