Java- feasibility of session timeout limit

Question

Is it feasible to set unlimited session time out programmatically using HttpSession. setMaxInactiveInterval(int seconds) or using

<session-config>
    <session-timeout>-1</session-timeout>
</session-config>

? Will this lead to any overhead?

Answer 1

Yes. It is possible to programmatically set the session timeout via a java servlet or jsp page using the setMaxInactiveInterval method,

HttpSession.setMaxInactiveInterval(int seconds)

Here the int value in seconds specifies the time, in seconds, between client requests before the servlet container will invalidate this session.

An interval value of zero or less indicates that the session should never timeout.

However, many HTTP servers in general use are configured to drop persistent connections after a certain period of inactivity in order to conserve system resources, quite often without informing the client. So keeping up the connectins alive may lead to java.lang.OutOfMemoryError: GC overhead limit exceeded error.

Out Of Memory Error

More open connections requires more memory and more requests hit your server and eventually causes your server to crash.

Answer 2

The documentation says that calling that method with a negative number of seconds will cause the session to never time out.

Overhead depends on the implementation, but I suppose (as can be seen in the source code for Catalina's StandardSession) it would cause less overhead than a limited session time, because the server does not need to do the cleanup required after the expiry time.

Answer 3

The answer lies in this post: http://www.theserverside.com/discussions/thread.tss?thread_id=26490 The server will run out of memory.

Answer 4

Through config file is preferred, Reason being able to change timeout limit in one place if the question is whether to go with config file or calling setMaxInactiveInterval(int seconds) within code.

And yes we can set unlimited timeout limit through config settings.