Session timeout handling in Java

23237
Mar 20, 2016

Tomcat has default timeout of 30 minutes but the default timeout depends on container to container. The default session timeout can be changed by two ways

1. By configuring the timeout into web.xml

2. Programatically

But when to use web.xml configuration and when set it Programatically ?
The two approach to configure session timeout in Java web containers are configuring it into web.xm and setting it programatically.



how to configure timeout to 15 minutes in web.xml?




<session-config>
<session-timeout>15</session-timeout>
</session-config>


This setting will set timeout to 15 minutes globally to all sessions to be created by web container. If web container does not receives any request from client in 15 minutes time span it will invalidate the session automatically.

But I don't want session to expire, how to set it ?


If you want session to expire then you can configure like

<session-config>
<session-timeout>0</session-timeout>
</session-config>

web container interprets the 0 minutes timeout to infinite.
Setting infinite timeout is not recommended because once session is created it will never expires and will remain live in server until server gets restarted or you invalidate from servlet by calling session.invalidate() on some user action (e.g. logout).

how to configure timeout to 15 minutes programatically?




Call method session.setMaxInactiveInterval() to set the session timeout.

how to set timeout for each session Programatically?



public class AppHttpSessionListener implements HttpSessionListener {

@Override
public void sessionCreated(HttpSessionEvent event) {
event.getSession().setMaxInactiveInterval(15 * 60);
}

@Override
public void sessionDestroyed(HttpSessionEvent event) {
// session destroyed
}
}

and configure this listener into web.xml as

<webapp>
<listeners>
<listener-class>com.groupkt.example.AppHttpSessionListener</listener-class>
</listeners>
</webapp>




In some cases you may have requirement to have different session timeout for different user session. for example you want to set 30 minutes for admin users and 15 minutes for normal users. Then setting the timeout programatically is very helpful.

Here is how to set role base or user specific session time out

public class LoginServlet extends HttpServlet {

private static final long serialVersionUID = 1L;

@Override
public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {

HttpSession session = request.getSession(true);

// validate user and get user role

if("ADMIN".equals(role)) {
session.setMaxInactiveInterval(30*60); // 30 minutes
} else {
session.setMaxInactiveInterval(15*60); // 15 minutes
}

}
}

If you are using Spring MVC or any other MVC framework, you can use similar concept into your Login controller.



Summary

1. Session time out kills the session only if time gap between two concussive request is more then the configured time.

2. web.xml take timeout in Minutes while session.setMaxInactiveInterval() takes time in Seconds.

3. web.xml configuration is suitable if you want to set timeout globally.

4. session.setMaxInactiveInterval() is suitable if you want to set timeout based on some condition, e.g based on user role.

5. avoid to set infinite timeout.

comments powered by Disqus

© Copyright 2017