Reputation: 23025
How to make a session not to timeout?
I need the sessions in my web application not to timeout. They should be there until the user log out manually. It might be a bad call but I must implement it.
I tried the below in web.xml
<session-config>
<session-timeout>
-1
</session-timeout>
</session-config>
However the session is still getting time out! Any suggestions?
Upvotes: 0
Views: 2867
Answers (5)
Reputation: 2068
You can also use the following:
HttpSession session = request.getSession();
session.setMaxInactiveInterval(0);
or
HttpSession session = request.getSession();
session.setMaxInactiveInterval(-1);
Upvotes: 0
Reputation: 9415
I want to advise against setting an infinite Session Timeout. It is a very bad call, as this is one certain way to implement a Memory Leak. As a result you will have an ever growing set of 'active' sessions. Each of them have the potential to store a considerable amount of data in Session Attributes. Each of them can have additional data associated with the session (injects, resources, beans).
Your application will continue to degrade over time until you will be forced to restart.
Also I would like to state that the longer a session is active, the more susceptible it is for hacking and intercepts.
You state,
It might be a bad call but I must implement it.
Yes, a very bad call indeed, but I am glad you know. I would like to have the opportunity to provide you an alternative solution. Can you provide the reason, and maybe some code to help document your case?
Actually thinking about some real life scenario's, I had the situation where we didn't want to expire the user page with settings and information he has gathered in his session. It was a complex graphing solution that needed much input. The user will just hit refresh to retrieve the most recent data.
The solution to above scenario was to not store it is part of the session, but instead encoded in the page itself. The simplest way would be to use <intput type="hidden"> fields. You could also use embedded xml, or make it part of the URL (to make a true browser refresh work).
Upvotes: 1
Reputation: 2922
use a HttpSessionListener. In the sessionCreated() method, you can set the session timeout programmatically.
public class MyHttpSessionListener implements HttpSessionListener{
public void sessionCreated(HttpSessionEvent event){
event.getSession().setMaxInactiveInterval(-1); //in seconds
}
public void sessionDestroyed(HttpSessionEvent event){}
}
And don't forget to define the listener in the deployment descriptor:
<webapp>
...
<listeners>
<listener-class>com.MyHttpSessionListener</listener-class>
</listeners>
</webapp>
Upvotes: 0
Reputation: 59
You can do this too :
<session-config>
<session-timeout>0</session-timeout>
</session-config>
You can see how it works just here
Upvotes: 1
Reputation: 1256
In web.xml define the following
<session-config>
<session-timeout>-1</session-timeout>
</session-config>
which has the same effect as the code posted above and will apply to all sessions for that web-app.
Upvotes: 0
Related Questions
- How to call sessionDestroyed when a session times out
- Time to timeout session
- Session timeout does not work in Java web application
- Session timeout not happening
- Java configuring timeout for specific session variables
- Contdown on Servlet Session
- How can I set session timeout so that it never expires?
- Servlet Session timeout
- Session-timeout configuration doesn't work?
- Session Time out