stackoom
  简体   繁体   中英

Session is expiring even when <session-timeout> is -1

 原文  2017-04-20 12:14:42       java/ session/ servlets

Question

In the web app (Servlet-JSP MVC) I am working on I have set session timeout as -1, which means the session will never expire until it is intentionally invalidated during logout. 

<session-config>
    <session-timeout>-1</session-timeout>
</session-config>

But if the user stays idle (ie no activity on application) and then refreshes the application after some time, the session expires.

I am using Apache Tomcat 7.0 with XAMPP for my application.

What might be the reason? What can be done to keep the session alive indefinitely? What does "-1" in session-timeout tag actually means?

1 answers

solution1
 0  2017-04-20 12:22:47

Better approach is use a ajax call to refresh the session, but not set the session-timeout too long, because the user can close browser without quitting, then session entities will keep in memory but never will be used again.

You settings not work may caused by conflict of settings in such three places:

(1) Java Code session.setMaxInactiveInterval(600);

(2) webapp's web.xml

(3) Contianer's(tomcat?)settings conf/web.xml or Catalina/localhost/yourapp/context.xml or server.xml or event in your app's submodule jars. 

<Context path="/" docBase="/yourapp/base"      
  defaultSessionTimeOut="3600"  ... />

The priorities (1)>(2)>(3)

————EDIT————

According the tomcat 7 documentation, in case you use SSL ( https://tomcat.apache.org/tomcat-7.0-doc/config/http.html )

sessionTimeout

The time, in seconds, after the creation of an SSL session that it will >timeout. Use 0 to specify an unlimited timeout. If not specified, a >default of 86400 (24 hours) is used.

Use 0 to specify an unlimited timeout

And this link JSESSIONID Cookie with Expiration Date in Tomcat and this https://stackoverflow.com/a/13463566/1484621 worth a look

The correct way to test session is request.getSession(false) == null , or request.getSession(true).isNew() .

According to the source code 

/**
 * Set the default session timeout (in minutes) for this
 * web application.
 *
 * @param timeout The new default session timeout
 */
@Override
public void setSessionTimeout(int timeout) {

    int oldSessionTimeout = this.sessionTimeout;
    /*
     * SRV.13.4 ("Deployment Descriptor"):
     * If the timeout is 0 or less, the container ensures the default
     * behaviour of sessions is never to time out.
     */
    this.sessionTimeout = (timeout == 0) ? -1 : timeout;
    support.firePropertyChange("sessionTimeout",
                               oldSessionTimeout,
                               this.sessionTimeout);

}

the session-timeout set to 0 or -1 will have same result

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question session-timeout in JSF Session-timeout configuration doesn't work? Glassfish session-timeout ignored in Vaadin application session-timeout not working for some links in Struts Session-Timeout and Secure in web.xml Spring Why session get expired before session-timeout? Why session-timeout doesn't work in JBoss Set the session-timeout never expires in java / struts1.x Session expiring when redirecting to URL Value of session-timeout getting overrided. What are the ways to set the session value
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM