Reputation: 15
Session-Timeout and Secure in web.xml
I already did some homework before posting question here, and i understood that, Session-Timeout will make my session expire, if my server do not get any request within defined time limit.
But my doubt is :
MY SERVER IS SESSIONLESS i.e IT DO NOT MAINTAIN SESSION AT ALL.
for each request, i check if token present, i will grant the request, otherwise reject the request, also, if user choose to sign out, i mark that token invalid. So that next time if someone uses that token, protected api should not get accessed.
And yes i am using Expiry time while generating new token.
Does this mean, i do not have to set up "session-timeout" in my web.xml?
Or am i missing something ?
Thank you.
/***** UPDATED ******/
Let me add some more information, i take "Username" and "Password" from user and generate the token with expiry of 1 day. And with each api request i am expecting user to send me this token and then only i will let him go further. When he log out , i mark this token invalid, so next time he try to use any api, i ask him again "Username" and "Password" <-- this is what i am assuming his session was over when he clicked logged me out.
Now, my doubt is
suppose User first came and give me "Username" and "Password", and i generate one token and give it to him and i set expiry for token is 1DAY.
And now i set Session-timeout = 20 minutes, this means if user do not make any request within 20 minutes, his session will be over.
But i am sure, if after 20 minutes he will hit any API, server will grant the request as token is still valid ( user has not logged out yet).
So whats the use of using "SESSION-TIMEOUT"?
Upvotes: 0
Views: 747
Answers (1)
Reputation: 10717
In a JEE Servlet app, the session is a value associated to a cookie. Behind the scenes, this value is used by the servlet container as a key to store a map with arguments in the server memory. The session-timeout value in the web.xml establishes how long can a user be inactive before the cookie value expires and the map is disposed for garbage collection.
Upvotes: 0
Related Questions
- How to access Session Timeout Value in web.xml?
- How do I set session timeout in seconds in web.xml?
- Session TimeOut in web.xml
- Tomcat Session Timeout web.xml
- how does session timeout configured in web.xml works
- Setting session timeout without web.xml in java web application
- How to make a session not to timeout?
- Java Session invalidate and timeout does not work
- Session timeout not happening
- How to handle session timeout when using Servlet 3.0 programmatic security