0

In the web app (Servlet-JSP MVC) I am working on I have set session timeout as -1, which means the session will never expire until it is intentionally invalidated during logout.

<session-config>
    <session-timeout>-1</session-timeout>
</session-config>

But if the user stays idle (i.e no activity on application) and then refreshes the application after some time, the session expires.

I am using Apache Tomcat 7.0 with XAMPP for my application.

What might be the reason? What can be done to keep the session alive indefinitely? What does "-1" in session-timeout tag actually means?

Tavo
  • 3,087
  • 5
  • 29
  • 44
raviraja
  • 676
  • 10
  • 27

1 Answers1

0

Better approach is use a ajax call to refresh the session, but not set the session-timeout too long, because the user can close browser without quitting, then session entities will keep in memory but never will be used again.

You settings not work may caused by conflict of settings in such three places:

(1) Java Code session.setMaxInactiveInterval(600);

(2) webapp's web.xml

(3) Contianer's(tomcat?)settings conf/web.xml or Catalina/localhost/yourapp/context.xml or server.xml or event in your app's submodule jars.

<Context path="/" docBase="/yourapp/base"      
  defaultSessionTimeOut="3600"  ... />

The priorities (1)>(2)>(3)

————EDIT————

According the tomcat 7 documentation, in case you use SSL (https://tomcat.apache.org/tomcat-7.0-doc/config/http.html)

sessionTimeout

The time, in seconds, after the creation of an SSL session that it will >timeout. Use 0 to specify an unlimited timeout. If not specified, a >default of 86400 (24 hours) is used.

Use 0 to specify an unlimited timeout

And this link JSESSIONID Cookie with Expiration Date in Tomcat and this https://stackoverflow.com/a/13463566/1484621 worth a look

The correct way to test session is request.getSession(false) == null, or request.getSession(true).isNew().

According to the source code

/**
 * Set the default session timeout (in minutes) for this
 * web application.
 *
 * @param timeout The new default session timeout
 */
@Override
public void setSessionTimeout(int timeout) {

    int oldSessionTimeout = this.sessionTimeout;
    /*
     * SRV.13.4 ("Deployment Descriptor"):
     * If the timeout is 0 or less, the container ensures the default
     * behaviour of sessions is never to time out.
     */
    this.sessionTimeout = (timeout == 0) ? -1 : timeout;
    support.firePropertyChange("sessionTimeout",
                               oldSessionTimeout,
                               this.sessionTimeout);

}

the session-timeout set to 0 or -1 will have same result

Community
  • 1
  • 1
Yu Jiaao
  • 4,444
  • 5
  • 44
  • 57
  • I am using 2nd approach i.e setting session-timeout in web.xml of webapp,as far as i know it will override the container session-timeout value. about AJAX call approach,can you throw some more insight about it?in which jsp i should make a call for AJAX.i didn't get the clear idea. – raviraja Apr 20 '17 at 12:40
  • Then you have to check your code where you invalidate the session, is there a logic problem? – Yu Jiaao Apr 20 '17 at 12:45
  • the only place i invalidated the session is in LogOut controller when user hits the logout button session will be invalidated,except that i didn't invalidate the session anywhere else. provide some inputs on AJAX refreshing. – raviraja Apr 20 '17 at 12:48
  • Can you provide a [mcve](http://stackoverlow.com/help/scve) here? what version of container and java you use? – Yu Jiaao Apr 20 '17 at 12:52
  • we are using Tomcat 7.0 on XAMPP with java SE 8, the default timeout according to the tomcat docs is 30 minutes unless we override in web.xml – raviraja Apr 20 '17 at 13:32
  • You can give a try to config a `HttpSessionListener` to trace the session creation and destruction events – Yu Jiaao Apr 20 '17 at 15:10
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/142253/discussion-between-migrated-pigeon-and-yu-jiaao). – raviraja Apr 21 '17 at 08:07