Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Session-Timeout , Tomcat - webapp

Posted on 2004-02-09
Medium Priority
Last Modified: 2011-08-18
Hey all,

We're using tomcat 4.1.24.  I've been trying for the past hour to change the session timeout of our app.  The 30 minute default shouldn't be a problem, but we connected to our server then closed the IE to see if the sessions would be invalidated after 30 minutes.  They were not, so i'm trying to figure out why.

First, does a session timing out mean that everything in that session scope will be invalidated or does it just mean the user has to create a new session.

I tried changing the timeout to 1 minute for testing purposes.  Running the program in JProbe, i was opening a page and then closing IE.  After waiting over a minute(when the session should have timed out) i started garbage collection and checked whether the classes in the session scope were collected, and they were not.  So now i'm thinking that we're not setting the session timeout correctly, or maybe that session timeout doesn't mean the session will be invalidated.

This is the code that I added to our web.xml file:


We have multiple web.xml files, but I believe the file we have to add the code to is in the WEB-INF directory, which is parallel with the app directory

basically our app is in tomcat/webapps/dir/app and our WEB-INF is in tomcat/webapps/dir/WEB-INF.
I also tried to add it to ROOT/WEB-INF to no avail.

I've read other posts similar to this, but I haven't read anything about whether the session will be invalidated upon timeout.

Any help is definitely appreciated!

thank you much.

Nathan @ AutoKnowledge

ps. kinda urgent... but only because i'm almost out of hair :)
Question by:autoknowledge
  • 3
  • 2

Expert Comment

ID: 10326441
I don't understand what is the app directory.
I think your web.xml file should be in TOMCAT/WEBAPPS/DIR/WEB-INF
or, if you do not use the auto deploy features of TOMCAT but wrote a context in the server.xml file, TOMCAT/WEBAPPS/DIR/APP/WEB-INF

Theortically the session should be invalidated, but Tomcat may decide it has enough memory and won't run the thread that destroys the sessions.


Author Comment

ID: 10327562
Thanks for the response vzilka,

Our JSPs for the application are stored in tomcat/webapps/dir/app, and tomcat/webapps/dir contains the entire application.  I tried placing the code in the web.xml file inside tomcat/webapps/dir/web-inf to no avail.  After a minute of time, i started up JProbe's garbage collector to see if it would collect the objects that were in the expired session.  It didn't collect this un-referenced memory even after quite a few minutes of time and multiple garbage collections.  

vzilka, could you explain what you mean by:

"Theortically the session should be invalidated, but Tomcat may decide it has enough memory and won't run the thread that destroys the sessions."

Do you mean that tomcat may not run session.invalidate() when the session times out?
Do you mean that session.invalidate() will be run, but the garbage collection may not collect the un-referenced memory right away?

Also, does session.invalidate() just de-reference all of the objects associated with that session?
As long as the memory is unreferenced, I think that I can put a little trust in the garbage collector to someday pick up the trash when the app needs the extra memory.

If tomcat just doesn't invalidate the session at all if it doesn't have to, then is there a way to find out which session has timed out and then manually invalidate it?

Thanks for any help you guys/gals can give.

Nathan @ AK

Accepted Solution

vzilka earned 320 total points
ID: 10329279
First of all, you are not alone in this feeling: http://www.jguru.com/faq/view.jsp?EID=127074

Concerning your questions. The servlet specification says that the value you specify in the web.xml file is the lifetime of the session. The session is handled by 2 methods - the object on the server side and a cookie called JSessionID which lives for as long as the session timeout.
The browser will delete the cookie - thats no problem.
I suspect that Tomcat will only remove HTTPSessions if it suffers from low memory (call the HTTPSession.invalidate() method). When it does that all objects will be de-references and the next garbage collection act will remove them from memory.

Why should you want to invalidate sessions yourself? Leave it to Tomcat to handle the memory and write your own code.
YOu can, if you really want to, define a SessionListener and keep track of all sessions - but do it only if you really have to.

Author Comment

ID: 10347012
Wow, i wasn't expecting the delay between the specified and the actual timeout to be so large.  Even after waiting an extended period of time, our sessions still don't show any signs of timeout.  I guess adding the code from the link you posted might be useful in waiting for the timeout to occur, since it will tell me right when it does.  However, if i never get this msg, then i will have to assume that the timeout isn't setup correctly and try something else.  Unless of course it's memory dependant and won't run until the server is almost out of memory, which would be a tedious task to test.

I have the code:

in the web.xml files in our C:\jakarta-tomcat-4.1.24\conf directory and C:\jakarta-tomcat-4.1.24\webapps\dir\WEB-INF directories.
If i set this code to 1 minute, i should hope that the timeouts occur sooner that 30 minutes.

If I never get a msg stating that the session timed-out, then i guess that I should try session.setMaxInactiveInterval().  If we put this line at login for every user, would it work the same as setting session-timeout in the web.xml file?  If so, I'd rather get rid of the session-timeout in the web.xml altogether and just add this line to our login since it would make the session timeout a little more concrete.  A SessionListener would definitely be overkill... i really hope it doesn't come to that.

If you can think of anything else that would make this task easier, just let me know.  Thanks again for your help.  


Author Comment

ID: 10356195
Ok, i think the session.setMaxInactiveInterval() is working fine in our program.  I never could get the session-timeout code in the web.xml file to work.  The code at http://www.jguru.com/faq/view.jsp?EID=127074 was a great testing tool to make sure the timeouts were actually taking place.  I hope this helps to solve some of our memory issues.  Thanks for all your help vzilka.


Featured Post

Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As Wikipedia explains 'robots.txt' as -- the robot exclusion standard, also known as the Robots Exclusion Protocol or robots.txt protocol, is a convention to prevent cooperating web spiders and other web robots from accessing all or part of a websit…
In Solr 4.0 it is possible to atomically (or partially) update individual fields in a document. This article will show the operations possible for atomic updating as well as setting up your Solr instance to be able to perform the actions. One major …
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Suggested Courses
Course of the Month13 days, 11 hours left to enroll

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question