Pages

Tuesday, December 31, 2019

Java Servlet Session Timeout and Examples

1. Overview


In this tutorial, how to set up and configure a session timeout in a java Servlet based web application.

Configure Session Timeout in the web.xml of a Java Servlet web application, and globally for a Tomcat or Jetty Server.

This can be done in many ways as follows.

A) web.xml
B) Programmatically
C) Tomcat or any server configuration


Java Servlet Session Timeout




2. Global Timeout in the deployment descriptor (web.xml) 


The timeout of all HTTP Sessions can be configured in the web.xml of the web application as below using tag <session-timeout>. This tag accepts integer values in minutes, not in seconds. Here, we are configuring it for 15 mins.


<web-app>

    .....
    
    <session-config>
        <session-timeout>15</session-timeout>
    </session-config>
    
    ......
    
</web-app>

3. Programmatic Timeout per Individual Session setMaxInactiveInterval()


Now we can do this for a particular session instead of doing for all sessions. But, this is not possible using the XML configuration option and must use the java program by calling session method setMaxInactiveInterval(int interval).


HttpSession session = request.getSession();
session.setMaxInactiveInterval(15*60);

This session will be killed by the container if the client doesn’t make any request after 15 minutes.

Note: As opposed to the <session-timeout> element which accepts a value in minutes but, the setMaxInactiveInterval() method accepts a value in seconds.
One interesting note is that, in a Servlet 3.0 environment where annotations may be used instead of the XML deployment descriptor, there is no way to programmatically set the global session timeout for each session. Programmatic configuration for session timeout does have an open issue on the Servlet Spec JIRA – but the issue has not yet been scheduled.


An interval value of zero or less indicates that the session should never timeout.

session.setMaxInactiveInterval(0);
session.setMaxInactiveInterval(-1);
session.setMaxInactiveInterval(-2);

All of these statements indicate the same meaning that the session will not be timed out.

If we have both XML and program configuration then web.xml value will be overridden by the programmatically set value.

4. Session Timeout in Tomcat or any server configuration


As of now, we have seen the setting the timeout within application web.xml or in java code. But now the same can be set up in a tomcat or jetty server. This is useful if we have multiple applications deployed in the same server and all applications should have the same session timeout.

Tomcat or any web server will come with a default web.xml file.


$tomcat_home/conf/web.xml

If we configure the element <session-timeout> in this default web.xml file then the timeout is configured for the entire web server.

For Jetty:

jetty_home/etc/webdefault.xml


The default timeout is set to 30 mins.

Note: Every application deployed in the server will have its own deployment descriptor web.xml file. We have the right to configure different timeout values for each application. But individual application web.xml will be having a high priority than the global one. Global settings will be overridden by the app web.xml.

5. Spring Boot Java Config Set Session Timeout


As contrary to traditional web application, we no need to configure timeout in web.xml in spring boot or spring boot 2 application. We should add server.session.timeout property in your application.properties file.

Spring Boot 1.0:

server.connection-timeout=60

Spring Boot 2.0:

server.servlet.session.timeout=10m


# Time in milliseconds that connectors will wait for another HTTP request before closing the connection. When not set, the connector's container-specific default will be used. Use a value of -1 to indicate no (i.e. infinite) timeout.

Note: If a duration suffix is not specified, seconds will be used.

6. Conclusion


In this short and precise article on practical aspects on how to configure servlet and server session timeout in a web server or application.

Seen the configuration in web.xml and next how to set timeout programmatically.

At last how to see globally to all apps in one server using default web.xml in tomcat and jetty server.

web.xml inside the application will be overridden by the

tomcat server default web.xml timeout configuration will be overridden by the individual application web.xml timeout property and individual web.xml timeout will be overridden by the programmatically using setMaxInactiveInterval() method.

Reference StackOverFlow.com


No comments:

Post a Comment

Please do not add any spam links in the comments section.