We help IT Professionals succeed at work.

Session-Timeout , Tomcat - webapp

Last Modified: 2011-08-18
Hey all,

We're using tomcat 4.1.24.  I've been trying for the past hour to change the session timeout of our app.  The 30 minute default shouldn't be a problem, but we connected to our server then closed the IE to see if the sessions would be invalidated after 30 minutes.  They were not, so i'm trying to figure out why.

First, does a session timing out mean that everything in that session scope will be invalidated or does it just mean the user has to create a new session.

I tried changing the timeout to 1 minute for testing purposes.  Running the program in JProbe, i was opening a page and then closing IE.  After waiting over a minute(when the session should have timed out) i started garbage collection and checked whether the classes in the session scope were collected, and they were not.  So now i'm thinking that we're not setting the session timeout correctly, or maybe that session timeout doesn't mean the session will be invalidated.

This is the code that I added to our web.xml file:


We have multiple web.xml files, but I believe the file we have to add the code to is in the WEB-INF directory, which is parallel with the app directory

basically our app is in tomcat/webapps/dir/app and our WEB-INF is in tomcat/webapps/dir/WEB-INF.
I also tried to add it to ROOT/WEB-INF to no avail.

I've read other posts similar to this, but I haven't read anything about whether the session will be invalidated upon timeout.

Any help is definitely appreciated!

thank you much.

Nathan @ AutoKnowledge

ps. kinda urgent... but only because i'm almost out of hair :)
Watch Question

I don't understand what is the app directory.
I think your web.xml file should be in TOMCAT/WEBAPPS/DIR/WEB-INF
or, if you do not use the auto deploy features of TOMCAT but wrote a context in the server.xml file, TOMCAT/WEBAPPS/DIR/APP/WEB-INF

Theortically the session should be invalidated, but Tomcat may decide it has enough memory and won't run the thread that destroys the sessions.


Thanks for the response vzilka,

Our JSPs for the application are stored in tomcat/webapps/dir/app, and tomcat/webapps/dir contains the entire application.  I tried placing the code in the web.xml file inside tomcat/webapps/dir/web-inf to no avail.  After a minute of time, i started up JProbe's garbage collector to see if it would collect the objects that were in the expired session.  It didn't collect this un-referenced memory even after quite a few minutes of time and multiple garbage collections.  

vzilka, could you explain what you mean by:

"Theortically the session should be invalidated, but Tomcat may decide it has enough memory and won't run the thread that destroys the sessions."

Do you mean that tomcat may not run session.invalidate() when the session times out?
Do you mean that session.invalidate() will be run, but the garbage collection may not collect the un-referenced memory right away?

Also, does session.invalidate() just de-reference all of the objects associated with that session?
As long as the memory is unreferenced, I think that I can put a little trust in the garbage collector to someday pick up the trash when the app needs the extra memory.

If tomcat just doesn't invalidate the session at all if it doesn't have to, then is there a way to find out which session has timed out and then manually invalidate it?

Thanks for any help you guys/gals can give.

Nathan @ AK
This one is on us!
(Get your first solution completely free - no credit card required)


Wow, i wasn't expecting the delay between the specified and the actual timeout to be so large.  Even after waiting an extended period of time, our sessions still don't show any signs of timeout.  I guess adding the code from the link you posted might be useful in waiting for the timeout to occur, since it will tell me right when it does.  However, if i never get this msg, then i will have to assume that the timeout isn't setup correctly and try something else.  Unless of course it's memory dependant and won't run until the server is almost out of memory, which would be a tedious task to test.

I have the code:

in the web.xml files in our C:\jakarta-tomcat-4.1.24\conf directory and C:\jakarta-tomcat-4.1.24\webapps\dir\WEB-INF directories.
If i set this code to 1 minute, i should hope that the timeouts occur sooner that 30 minutes.

If I never get a msg stating that the session timed-out, then i guess that I should try session.setMaxInactiveInterval().  If we put this line at login for every user, would it work the same as setting session-timeout in the web.xml file?  If so, I'd rather get rid of the session-timeout in the web.xml altogether and just add this line to our login since it would make the session timeout a little more concrete.  A SessionListener would definitely be overkill... i really hope it doesn't come to that.

If you can think of anything else that would make this task easier, just let me know.  Thanks again for your help.  



Ok, i think the session.setMaxInactiveInterval() is working fine in our program.  I never could get the session-timeout code in the web.xml file to work.  The code at http://www.jguru.com/faq/view.jsp?EID=127074 was a great testing tool to make sure the timeouts were actually taking place.  I hope this helps to solve some of our memory issues.  Thanks for all your help vzilka.

Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.