The method setMaxInactiveInterval set the time in seconds between the clients requests before sevlet container invalidate the session. The negative values indicate that session will never timeout. If you want to invalidate the session it has two possibilities a) call invalidate method of HttpSession. b) set setMaxInactiveInterval to zero.
The method setMaxAge set the maximum age of cookie in seconds. The positive values indicate that the cookie will expire after that many seconds have passed. The negative value means that the cookie it's not stored persistently and will be deleted when the browser exits. If the value is zero the cookie will delete. (see http://java.sun.com/j2ee/1.4/docs/api/index.html)