Tomcat Session Timeout web.xml

Question

This is my web.xml file, it is located in WEB-INF/lib. It specifies session timeout at 1 minute, however it does not time the user out after 1 minute of activit

Answer 1

If your ogjective is to test session expiry, you don't have to wait at all. You application server may offer a way of expiring sessions manually. In Tomcat for example, you can do so through the manager application. Next to each application there's an "Expire sessions" button with a field next to it where you can specify the idle time threshold. All sessions that have been idle for a period above the threshold will be invalidated. To invalidate all sessions simply type in 0 and hit enter; all session will expire regardless of the value in web.xml.

If you're not using Tomcat, look at the documentation of your application server and you may find a way to do so through the administration console or command line.

Answer 2

1. One minute is a ridiculously low session timeout. It should be several hours.

2. The timeout happens after that much inactivity, not that much activity.

3. The correct test is request.getSession(false) == null, or request.getSession(true).isNew().

Answer 3

The web.xml should be directly in WEB-INF, not in WEB-INF/lib.

Answer 4

Session timeout hierarchy:

• TOMCAT_HOME/conf/web.xml
• WebApplication/webapp/WEB-INF/web.xml
• Hardcoding your session timeout in Java : HttpSession.setMaxInactiveInterval(int)

The order of the session timeout configuration:

HttpSession.setMaxInactiveInterval(int) > $WebApplication/webapp/WEB-INF/web.xml > $TOMCAT_HOME/conf/web.xml

Each subsequent entry overrides the above configuration.

Best regards.