There are five different ways through which you can maintain session-timeout values
1. Server Level Lowest level
2. Enterprise Application Overrides the Server Level if Override is selected
3. Web Application Overrides the Server and Enterprise Application settings if Override is selected
4. Application Level (web.xml) Overrides Server, Enterprise Application, and Web Application settings
5. Application Code Overrides all other settings
Better to have your own session-timeout configured in setMaxInactiveInterval of HTTPSession.