As per the servlet specs., if the time-out period for a session is set to -1, the session will never expire. In the HTTP protocol (Stateless) , there is no explicit termination signal when a client (browser) is no longer active. The session can be terminated by setting timeout period or explicitly invalidating the session. Even in some browser, you can use same session in two different windows. When one window is closed, the session remain active in another window.
Hi If the session timeout is set to -1, the server will not end the session. Meaning that even if the user closes the browser and comes back and goes to the same page. If the timeout period of the session on that server has not elapsed, the user will be able to log into the site automatically, without any login parameters. Unless ofcourse, ur page is intelligent enuff to trap a browser close event and send signal to the server to flush session and so, ask user to relogin at the time of coming back to the site. In case of sites like yahoo if u accidentally close your browser and come back to the site, it takes you to the email access page. this is assuming that the session timeout hasnt happened yet. BreakThru NOT BreakDown!