Is there a lower bound for the Tomcat server configuration property <session-timeout> ? Because, if I set it to 5 minutes the sessions always expires after 15 minutes. I also tried 1 minute and it was the same.

This is my web.xml for my webapp deployed under tomcat:

    <session-config>
        <session-timeout>5</session-timeout>
        <cookie-config>
           <http-only>true</http-only>
           <secure>false</secure>
        </cookie-config>
    </session-config>

I didn't find anything on the documentation, e.g.

https://docs.oracle.com/cd/E13222_01/wls/docs81/webapp/web_xml.html#1017275

Any hint?

CodePudding user response：

There is indeed no lower bound on this value. On a "hello world" web application deployed to Tomcat, you can observe that expiration works properly by looking at how often the JSESSIONID cookie value is refreshed in the browser.

If you set session-timeout to 1 minute and refresh the page after 1 minute, the value of JSESSIONID will be different. If you refresh it before 1 minute runs out, it will be the same. This proves that session expiration works as expected.

If in your case it's limited by 15 minutes, it might mean that your application itself does some additional session management.

The HTTP session is just a way to correlate the subsequent HTTP queries. By itself it has nothing to do with authentication or user being logged in / logged out. In case of Tomcat, the session-config configuration is related to the HTTP session management defined by the Servlet specification and supported by Tomcat as the servlet container.

The security framework that you use may take advantage of this Servlet HTTP session to attach authenticated user data, or it may create its own session for that. So expiration of Servlet HTTP session may not coincide with expiration of user login.