0

I already did some homework before posting question here, and i understood that, Session-Timeout will make my session expire, if my server do not get any request within defined time limit.

But my doubt is :

MY SERVER IS SESSIONLESS i.e IT DO NOT MAINTAIN SESSION AT ALL.

for each request, i check if token present, i will grant the request, otherwise reject the request, also, if user choose to sign out, i mark that token invalid. So that next time if someone uses that token, protected api should not get accessed.

And yes i am using Expiry time while generating new token.

Does this mean, i do not have to set up "session-timeout" in my web.xml?

Or am i missing something ?

Thank you.

/***** UPDATED ******/

Let me add some more information, i take "Username" and "Password" from user and generate the token with expiry of 1 day. And with each api request i am expecting user to send me this token and then only i will let him go further. When he log out , i mark this token invalid, so next time he try to use any api, i ask him again "Username" and "Password" <-- this is what i am assuming his session was over when he clicked logged me out.

Now, my doubt is

suppose User first came and give me "Username" and "Password", and i generate one token and give it to him and i set expiry for token is 1DAY.

And now i set Session-timeout = 20 minutes, this means if user do not make any request within 20 minutes, his session will be over.

But i am sure, if after 20 minutes he will hit any API, server will grant the request as token is still valid ( user has not logged out yet).

So whats the use of using "SESSION-TIMEOUT"?

shrayansh
  • 15
  • 1
  • 8
  • What do you exactly mean when you say `MY SERVER DO NOT MAINTAIN SESSION AT ALL.`Have you modified your tomcat context.xml.By default your session will be stored on your tomcat sever and default timeout would be 30 minutes. – Nitin Prabhu May 23 '17 at 10:05
  • No, i have not changed anything, i am using JWT token for authenticating user, not maintaining any session. Is there some thing like default session, sorry, i dont know about that. I will find out more about it. – shrayansh May 23 '17 at 10:12
  • It all depends on how you have setup your application, e.g. JSPs. I'd recommend to attach an HttpSessionListener to your application, this way you can track things. Btw. generally the 'session' refers to a cookie called 'jsessionid'. http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpSessionListener.html – home May 23 '17 at 10:17
  • Have a look at this https://stackoverflow.com/questions/2255814/can-i-turn-off-the-httpsession-in-web-xml – Nitin Prabhu May 23 '17 at 10:18

1 Answers1

0

In a JEE Servlet app, the session is a value associated to a cookie. Behind the scenes, this value is used by the servlet container as a key to store a map with arguments in the server memory. The session-timeout value in the web.xml establishes how long can a user be inactive before the cookie value expires and the map is disposed for garbage collection.

Andres
  • 10,561
  • 4
  • 45
  • 63