The session timeout in a web application can be configurable in two ways
1) Timeout in the deployment descriptor (web.xml)
- Specified the timeout value in “minute” , enclose with “session-config” element.
<web-app ...> <session-config> <session-timeout>20</session-timeout> </session-config> </web-app>
The above setting is apply for the entire web application, and session will be kill by container if client doesn’t make any request after 20 minutes.
2) Timeout with setMaxInactiveInterval()
- You can manually specified the timeout value in “second” for a particular session.
HttpSession session = request.getSession(); session.setMaxInactiveInterval(20*60);
The above setting is only apply on session which call the “setMaxInactiveInterval()” method, and session will be kill by container if client doesn’t make any request after 20 minutes.
This is a bit confusing , the value in deployment descriptor (web.xml) is in “minute”, but the setMaxInactiveInterval() method is accept the value in “second”. Both functions should synchronize it in future release :)