0

I have this piece of code configured in my web.xml file to validate a user session.

<session-config> <session-timeout>30</session-timeout> </session-config>

i want to understand its internal working as to how a particular user is validated and where, when a user makes a request after 30 mins.

Zues
  • 9
  • 3

1 Answers1

1

A "session" is identified by the JSESSIONID identifier send with every request by the client (e.g. browser). This identifier is either send per cookie or by request parameter (query parameter). The web container maintains a map of all active sessions under their JSESSIONID identifier. If the configured timeout has passed by without any request for this JSESSIONID identifier, then the session is seen as "timed out". All data you have put into this session is lost (incl. eventual authentication information).

siom
  • 1,610
  • 1
  • 14
  • 21
  • Thanx @siom, it was helpful. Can you tell me which http status code is returned when session expires?? – Zues Aug 21 '17 at 05:17
  • https://stackoverflow.com/questions/1653493/what-http-status-code-is-supposed-to-be-used-to-tell-the-client-the-session-has – siom Aug 21 '17 at 06:22