Is there a lower bound for the Tomcat server configuration property <session-timeout>
? Because, if I set it to 5 minutes the sessions always expires after 15 minutes. I also tried 1 minute and it was the same.
This is my web.xml
for my webapp deployed under tomcat:
<session-config>
<session-timeout>5</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>false</secure>
</cookie-config>
</session-config>
I didn't find anything on the documentation, e.g.
https://docs.oracle.com/cd/E13222_01/wls/docs81/webapp/web_xml.html#1017275
Any hint?
CodePudding user response:
There is indeed no lower bound on this value. On a "hello world" web application deployed to Tomcat, you can observe that expiration works properly by looking at how often the JSESSIONID
cookie value is refreshed in the browser.
If you set session-timeout
to 1 minute and refresh the page after 1 minute, the value of JSESSIONID
will be different. If you refresh it before 1 minute runs out, it will be the same. This proves that session expiration works as expected.
If in your case it's limited by 15 minutes, it might mean that your application itself does some additional session management.
The HTTP session is just a way to correlate the subsequent HTTP queries. By itself it has nothing to do with authentication or user being logged in / logged out. In case of Tomcat, the session-config
configuration is related to the HTTP session management defined by the Servlet specification and supported by Tomcat as the servlet container.
The security framework that you use may take advantage of this Servlet HTTP session to attach authenticated user data, or it may create its own session for that. So expiration of Servlet HTTP session may not coincide with expiration of user login.