We've a Tomcat 6 web application implementing the Servlet 2.4 specification. Reading on the web I stumbled across docs that mentioned the setting of session-timeout tag to -1 to never invalidate the session.
However, my session attributes are still turned null in the app when displaying information. I'm really stumped with this behavior and thought the session variables will remain intact forever.
What am I doing wrong here? Am I missing some more nuanced explanation here?
Pasted below is the portion of web.xml which deals with the session timeout tag.
1.) You should avoid setting infinite sessions.
2.) How did you determine that the session is timing out? i.e How do you know that it's not some other logic which is clearing the values
3.) You can also add an HttpSessionListener for debugging to check if the session really is expiring.
There are 2 reasons why infinite session life is not something you'd want:
1. Security. If a user walks away from the computer, anyone wandering by at any time can potentially do anything that user can do.
2. Resources. As long as a session exists, it's consuming resources (especially server RAM). Depending on the server and its configuration, forever can really mean forever, since the session may be serialized out (and potentially resumed) even if the server is stopped and restarted. Worse, if a user closes a browser and starts it again later, it's possible that an entirely new session would be created, leaving the server littered with orphan sessions.
There are cases when an infinite session would be desirable, but generally not when the clients are human beings, since human clients are more likely to bring out the less-desirable features of infinite-life sessions. And even in a perfect environment, you'd probably want to have mechanisms in place to clean up occasionally.
Better solutions include periodic refresh (via HTML meta tag or AJAX), which would reset the session timeout countdown, but allow it to timeout if the client terminates.
An IDE is no substitute for an Intelligent Developer.