Recipe 11.1 Setting the Session Timeout in web.xml

Problem

You want to configure a timeout period for the web application in the deployment descriptor.

Solution

Create a session-config element in web.xml.

Discussion

The length of time that a session lasts before the server invalidates the session and unbinds any of its objects is an important component of your web application. In Tomcat 4.1.x, the default timeout period for a session is 30 minutes. If any requests that are associated with the session have been inactive for that period, the session times out. If the user decides to return to the web application after 30 minutes, using the same browser, then a new session is created for him. Example 11-1 shows how to set your own timeout period for sessions.

Example 11-1. Configuring the session timeout

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
    PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
           "http://java.sun.com/dtd/web-application_2_3.dtd"
>

<web-app>

<!-- filter, listener, servlet, and servlet-mapping elements precede session-config -->

  <session-config>
    <session-timeout>15</session-timeout>
  </session-config>

</web-app>

Place one nested session-timeout element within the session-config. The timeout is expressed as minutes, and overrides the default timeout (which is 30 minutes in Tomcat, for example). However, the HttpSession.getMaxInactiveInterval( ) method in a servlet returns the timeout period for that session in seconds; if your session is configured in web.xml for 15 minutes, getMaxInactiveInterval( ) returns 900.

Another way to configure a timeout value for a servlet is to use the init-param element in web.xml, as shown in Example 11-2.

Example 11-2. Adding an init-param to a servlet to set a session timeout interval

<servlet>
  <servlet-name>Cart</servlet-name>
  <servlet-class>com.jspservletcookbook.TimeoutSession</servlet-class>
  <init-param>
    <param-name>timeout</param-name>
    <param-value>600</param-value>
  </init-param>
</servlet>

The servlet element in this web application's web.xml file has a nested init-param, which creates a parameter called timeout. The Cart servlet takes the parameter value (600 seconds, equivalent to 10 minutes) and passes it to the session.setMaxInactiveInterval(int seconds) method. Example 11-3 shows the doGet( ) method of the servlet, which sets the session timeout variable to the configured parameter value.

Example 11-3. Using init parameters to set a servlet's session timeout

public void doGet(HttpServletRequest request, 
  HttpServletResponse response)
    throws ServletException, java.io.IOException {
        
        response.setContentType("text/html");
        java.io.PrintWriter out = response.getWriter( );

        HttpSession session = request.getSession( );

        //initially set to default timeout interval
        int _default = session.getMaxInactiveInterval( );

        int  timeout = _default;

        try{

            timeout = new Integer(getInitParameter("timeout")).intValue( );
    
        } catch(NumberFormatException nfe){

            //report any problems with the configured value in web.xml
            log("Problem with configuring session timeout in: " + 
                getClass( ).getName( )) ; 
        }//try

        //now set the session to the configured timeout period
        if(timeout != _default && timeout > -2)
            session.setMaxInactiveInterval(timeout);

        out.println("<html>");
        out.println("<head>");
        out.println("<title>Cart Servlet</title>");  
        out.println("</head>");
        out.println("<body>");

        out.println("The timeout interval is: " + 
            session.getMaxInactiveInterval( ));

        out.println("</body>");
        out.println("</html>");
      
}

Figure 11-1 shows the result of running this servlet in a browser window.

Figure 11-1. Dynamically changing the session timeout

The session timeout is changed only if the configured value is different than the initial value, and if the value is greater than -2:

if(timeout != _default && timeout > -2)
              session.setMaxInactiveInterval(timeout);

A timeout interval can be set to -1, which is defined by the Servlet v2.4 specification as a session that never expires.

This behavior may not be implemented consistently from server to server.

As mentioned before, sessions are implemented the majority of the time as cookies. Chapter 10 includes recipes describing the handling of cookies in JSPs and servlets.