Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Cloud/Virtualization forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Session times out even when modifying the tag in web.xml

 
Ahsan Bagwan
Ranch Hand
Posts: 252
1
Java MySQL Database Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
We've a Tomcat 6 web application implementing the Servlet 2.4 specification. Reading on the web I stumbled across docs that mentioned the setting of session-timeout tag to -1 to never invalidate the session.

However, my session attributes are still turned null in the app when displaying information. I'm really stumped with this behavior and thought the session variables will remain intact forever.

What am I doing wrong here? Am I missing some more nuanced explanation here?

Pasted below is the portion of web.xml which deals with the session timeout tag.

 
E Armitage
Rancher
Posts: 989
9
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
1.) You should avoid setting infinite sessions.
2.) How did you determine that the session is timing out? i.e How do you know that it's not some other logic which is clearing the values
3.) You can also add an HttpSessionListener for debugging to check if the session really is expiring.
 
Ahsan Bagwan
Ranch Hand
Posts: 252
1
Java MySQL Database Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks, appreciate the advice.
 
Tim Holloway
Saloon Keeper
Pie
Posts: 18012
47
Android Eclipse IDE Linux
  • Likes 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
There are 2 reasons why infinite session life is not something you'd want:

1. Security. If a user walks away from the computer, anyone wandering by at any time can potentially do anything that user can do.

2. Resources. As long as a session exists, it's consuming resources (especially server RAM). Depending on the server and its configuration, forever can really mean forever, since the session may be serialized out (and potentially resumed) even if the server is stopped and restarted. Worse, if a user closes a browser and starts it again later, it's possible that an entirely new session would be created, leaving the server littered with orphan sessions.

There are cases when an infinite session would be desirable, but generally not when the clients are human beings, since human clients are more likely to bring out the less-desirable features of infinite-life sessions. And even in a perfect environment, you'd probably want to have mechanisms in place to clean up occasionally.

Better solutions include periodic refresh (via HTML meta tag or AJAX), which would reset the session timeout countdown, but allow it to timeout if the client terminates.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic