0

I need the sessions in my web application not to timeout. They should be there until the user log out manually. It might be a bad call but I must implement it.

I tried the below in web.xml

<session-config>
        <session-timeout>
            -1
        </session-timeout>
    </session-config>

However the session is still getting time out! Any suggestions?

PeakGen
  • 21,894
  • 86
  • 261
  • 463

5 Answers5

1

You can do this too : 

<session-config>
    <session-timeout>0</session-timeout>
</session-config>

You can see how it works just here

Community
  • 1
  • 1
Archy
  • 59
  • 7
1

I want to advise against setting an infinite Session Timeout. It is a very bad call, as this is one certain way to implement a Memory Leak. As a result you will have an ever growing set of 'active' sessions. Each of them have the potential to store a considerable amount of data in Session Attributes. Each of them can have additional data associated with the session (injects, resources, beans).

Your application will continue to degrade over time until you will be forced to restart.

Also I would like to state that the longer a session is active, the more susceptible it is for hacking and intercepts.

You state,

It might be a bad call but I must implement it.

Yes, a very bad call indeed, but I am glad you know. I would like to have the opportunity to provide you an alternative solution. Can you provide the reason, and maybe some code to help document your case?

Actually thinking about some real life scenario's, I had the situation where we didn't want to expire the user page with settings and information he has gathered in his session. It was a complex graphing solution that needed much input. The user will just hit refresh to retrieve the most recent data.

The solution to above scenario was to not store it is part of the session, but instead encoded in the page itself. The simplest way would be to use <intput type="hidden"> fields. You could also use embedded xml, or make it part of the URL (to make a true browser refresh work).

YoYo
  • 9,157
  • 8
  • 57
  • 74
  • sure. Here is the reason - http://stackoverflow.com/questions/30034486/why-i-cant-access-the-servlet-after-the-session-time-out – PeakGen May 05 '15 at 08:38
  • I guess I don't understand the flow, but if the actual login expired, and the user needs to re-login, you need to reset all the Session Attributes again. I could advise you to try to store some of those parameters as part of the page, but if they are login related, I would also advise totally against it to avoid any hacking. – YoYo May 05 '15 at 08:50
0

use a HttpSessionListener. In the sessionCreated() method, you can set the session timeout programmatically.

public class MyHttpSessionListener implements HttpSessionListener{
  public void sessionCreated(HttpSessionEvent event){
    event.getSession().setMaxInactiveInterval(-1); //in seconds
  }
  public void sessionDestroyed(HttpSessionEvent event){}
}
And don't forget to define the listener in the deployment descriptor:

<webapp>
...
  <listeners>
    <listener-class>com.MyHttpSessionListener</listener-class>
  </listeners>
</webapp>
Karan Verma
  • 69
  • 11
Saurabh Jhunjhunwala
  • 2,832
  • 3
  • 29
  • 57
0

In web.xml define the following

<session-config>
    <session-timeout>-1</session-timeout>
</session-config>

which has the same effect as the code posted above and will apply to all sessions for that web-app.

ramp
  • 1,256
  • 8
  • 14
  • 1
    Yes. sorry - so how do you mean its not working? Are you invalidating your session anywhere? – ramp May 05 '15 at 08:08
0

You can also use the following: 

HttpSession session = request.getSession();
session.setMaxInactiveInterval(0);

or 

HttpSession session = request.getSession();
session.setMaxInactiveInterval(-1);

enter image description here

Afsun Khammadli
  • 2,048
  • 4
  • 18
  • 28