hi , In session invalidation, the timeout period for that session can be specified in seconds using the setMaximumInactiveInterval() method. And even in the deployment descriptor, using the <session-timeout> tag, timeout for all sessions in the application can be specified in minutes. My question is, if both are specified for a session, then which one takes precedence? Thanks for the help. -Ali
Session.setMaxInactiveInterval() will work for that particular Session object. remember, <session-timeout> is for all the sessions in your web-app. So if you have this: <session-timeout>=5 and you call session1.setMaxInactiveInterval(360), then session1 will have timeout 6 minutes, but all the other sessions will have time-out 5 minutes.
Also note that there is a small inconsistancy between the Servlet DTD and API. A 0 (Zero) or -ve value for <session-timeout> would make the sessions not to expire. On the other hand, if we use HttpSession.setMaxInactiveInterval( int secs) method, only -ve values will make that session not to expire. From Servlet 2.3 DTD, -------------------- <!-- The session-timeout element defines the default session timeout interval for all sessions created in this web application. The specified timeout must be expressed in a whole number of minutes. If the timeout is 0 or less, the container ensures the default behaviour of sessions is never to time out. Used in: session-config --> From Servlet API ----------------- public void setMaxInactiveInterval(int interval)Specifies the time, in seconds, between client requests before the servlet container will invalidate this session. A negative time indicates the session should never timeout.
I wanted to check this with Tomcat and found that when I set <session-timeout>0</session-timeout> in web.xml, the session does get invalidated immediately after it's creation. (which is against the servlet 2.3 DTD ) Regards, Maha Anna [ November 30, 2002: Message edited by: Maha Annadurai ]