Configure JSESSIONID Cookie to expire at specific point in time

Question

I am working with WildFly 11 and JSF/Primefaces.

I would like my user's session cookies to expire at a specific point in time, lets say today at midnight.

I understand that I can configure

<session-config>
    <cookie-config>
        <max-age>3600</max-age>
     </cookie-config>
</session-config>

in my web.xml to set the max-age of the session cookie.

But how can I set a dynamic value like

<session-config>
    <cookie-config>
        <max-age>calculateMaxAgeForThisSpecificLogin()</max-age>
     </cookie-config>
</session-config>

I would be thankful for any hint in the right direction.

edit: To clarify: I understand that i can set the session timeout like this:

<session-config>
    <session-timeout>30</session-timeout>
</session-config>

Or alternatively, the session timeout can be set dynamically in the application code. Unfortunately, this will not address the issues that I am faced with:

The session-timeout will destroy the session on the server side when there are no requests generated for the specified amount of time. There is no way to predict when this will be. If the browser continues to generate requests (i.e. a bug), the session will never be destroyed. As far as I understand, setting a timeout is no way to ensure the session will be destroyed at a specific point in time.
If not specified otherwise, the session cookie will live until the browser is closed. In my inhouse corporate environment, this can very well mean forever as many users just lock their workstations but never close their browsers. Even if the session is invalidated on the server side, the browser will still send a possibly very old session cookie. Per default, the JSESSIONID cookie contains a server part after the last dot (i.e. "...app-server-1") which is used by the load balancers to evaluate the appropriate route. Sending old session cookies may lead to unintended routes over the loadbalancers, causing further issues in respect to version management.

So, setting max-age will help as the browsers will stop to send very old session cookies.

My question aims about setting a specific point in time for the JSESSIONID cookie to be able to align load balancing and version management with session lifetime and browser behavoir.

Possible duplicate of [How to set session timeout dynamically in Java web applications?](https://stackoverflow.com/questions/2960764/how-to-set-session-timeout-dynamically-in-java-web-applications) — Kukeltje, May 29 '18 at 19:30
Your title is to specific, what you effectively need is to be able to set it dynamically (programmatically). For that, search engines would have given you an answer. Always try to 'generalize' a question. — Kukeltje, May 29 '18 at 19:39
Please note, that I intentionally asked about max-age of the session cookie in the browser, not about the server side session timeout. — Thomas, May 30 '18 at 06:57
Ah, ok, I understand now, sorry I misread it (so many question to follow/scan/help). Will retract the close duplicate vote — Kukeltje, May 30 '18 at 10:16
See the last paragraph in the answer in https://stackoverflow.com/questions/35105410/what-is-the-difference-between-session-timeout-and-max-age-in-web-xml Not sure if there are other newer solutions — Kukeltje, May 30 '18 at 10:20
Right, Implementing an HttpServletResponseWrapper could be a way to do this, thank you. — Thomas, May 30 '18 at 12:35
Does wildfly also 'abuse' the JSESSIONID cookie and put 'logic' in there? Jikes, thought only weblogic did that. Or is it just an ID and did someone within your organization choos to use the content in the loadbalancer instead of keeping track of an internal table??? I'd check that first before putting logic in an application or overriding it server wide!!! — Kukeltje, May 30 '18 at 12:44

score 0 · Answer 1 · answered May 29 '18 at 16:28

0

Use Filter :

public class SampleFilter implements Filter {
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {

    }

    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) servletRequest;
        int cookieAge = 3600 ; //Or load from config file or database
        request.getSession().setMaxInactiveInterval(cookieAge);

        filterChain.doFilter(servletRequest,servletResponse);
    }

    @Override
    public void destroy() {

    }
}

answered May 29 '18 at 16:28

mah454

1,571
15
38

1

Better to use an http sessionListener as in the suggested duplicate – Kukeltje May 29 '18 at 19:31
And you can 'close' the question as a duplicate... please try – Kukeltje May 30 '18 at 05:54
Thanks for your effort, but this is not what I asked about. I did not ask about session timeout. I asked about the (browser side) max-age of the session cookie which is different from the server side session timeout. – Thomas May 30 '18 at 06:55
I think the code sample is misleading. setMaxInactiveInterval() does not set the cookie age. It will set the server side session timeout. From the documentation:setMaxInactiveInterval(int interval) Specifies the time, in seconds, between client requests before the servlet container will invalidate this session. – Thomas May 30 '18 at 07:43
He is specifically asking about JSESSIONID Cookie – Luis Mauricio Nov 23 '21 at 18:11

Configure JSESSIONID Cookie to expire at specific point in time

1 Answers1