aspose file tools*
The moose likes Tomcat and the fly likes Session times out even when modifying the tag in web.xml Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Session times out even when modifying the tag in web.xml" Watch "Session times out even when modifying the tag in web.xml" New topic
Author

Session times out even when modifying the tag in web.xml

Ahsan Bagwan
Ranch Hand

Joined: Oct 05, 2010
Posts: 158
We've a Tomcat 6 web application implementing the Servlet 2.4 specification. Reading on the web I stumbled across docs that mentioned the setting of session-timeout tag to -1 to never invalidate the session.

However, my session attributes are still turned null in the app when displaying information. I'm really stumped with this behavior and thought the session variables will remain intact forever.

What am I doing wrong here? Am I missing some more nuanced explanation here?

Pasted below is the portion of web.xml which deals with the session timeout tag.

E Armitage
Rancher

Joined: Mar 17, 2012
Posts: 892
    
    9
1.) You should avoid setting infinite sessions.
2.) How did you determine that the session is timing out? i.e How do you know that it's not some other logic which is clearing the values
3.) You can also add an HttpSessionListener for debugging to check if the session really is expiring.
Ahsan Bagwan
Ranch Hand

Joined: Oct 05, 2010
Posts: 158
Thanks, appreciate the advice.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16070
    
  21

There are 2 reasons why infinite session life is not something you'd want:

1. Security. If a user walks away from the computer, anyone wandering by at any time can potentially do anything that user can do.

2. Resources. As long as a session exists, it's consuming resources (especially server RAM). Depending on the server and its configuration, forever can really mean forever, since the session may be serialized out (and potentially resumed) even if the server is stopped and restarted. Worse, if a user closes a browser and starts it again later, it's possible that an entirely new session would be created, leaving the server littered with orphan sessions.

There are cases when an infinite session would be desirable, but generally not when the clients are human beings, since human clients are more likely to bring out the less-desirable features of infinite-life sessions. And even in a perfect environment, you'd probably want to have mechanisms in place to clean up occasionally.

Better solutions include periodic refresh (via HTML meta tag or AJAX), which would reset the session timeout countdown, but allow it to timeout if the client terminates.


Customer surveys are for companies who didn't pay proper attention to begin with.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Session times out even when modifying the tag in web.xml