I'm studying HeadFirst Servlets and JSP book . In Chapter 6 (Conversation state ) I came to know that one of the ways to invalidate a session is either by calling setMaxInactiveInterval method from HttpSession interface or by specifying <session-timeout> tag in DD .
Author explained the difference between the two ways like this:
The time(in Minutes) specified in <session-timeout> tag is applicable for ALL Sessions where as setMaxInactiveInterval() overrides that global time set by <session-timeout> tag to that Particular session if specified
What confuses me is this:
At any time there will be only ONE session for a particular Client(Browser) . so I think that "ALL Sessions" by author represents from Server point of View . Am I correct ?
So here are my Assumption : Since there will be only ONE Session per client at any time that ALL Sessions represents from the Server point of view(One per Client)
Please tell me that whether my assumptions are correct or not. if not please clarify me.
I couldn't understand your point properly but I think you are getting it wrong. Suppose you set the <session-timeout> to set session timeout to be 20 minutes. Now there are two login panels in your site. In one of them, the servlet code to login the user looks like this
So now for this user, the timeout will be 20 minutes. So if they don't do any activity for 20 minutes, their session will expire. In the second login panel, the servlet code to login the user looks like this
Now this user can remain inactive for 30 minutes before their session expires. So basically the <session-timeout> value is used to decide the session's timeout period if you don't provide one using the setMaxInactiveInterval() method...
XYZ webbased system and users of system belongs to department. There are two departments
finance and personal. If requirement is for users belongs to finance department session time out
is 10 minutes and other than finance, users session timeout should be 30 minutes.
1. Set default session time out using
to 30 minutes.
2. After successful user authentication check for the user department.
If department is finance Then
API to override 30 min session time out
to 10 minutes and this session time will be applicable to that user not other users and there
session time out.
Hope this example helps you to get and clear understanding and about the difference between
Joined: Apr 15, 2008
Hi Ankit and Jitendra
Thanks for your replies and sorry for the delayed reply of mine.
I'm clear about the difference between the two.
To be very precise the following is the extract from the chapter 6(page no :245)
If you want to change the session-timeout value for
a particular session instance (without affecting the
timeout length for any other sessions in the app):
I understood that for a particular client(Browser) at any time there will be only one session(one jsessionId cookie) in both the server(webContainer) and client(Browser)
so in that sentence for "any other sessions" refers to the sessions in the server for other clients.