Session Timeout - Who has the final decision?

[Jerry Jalenak <Je...@LABONE.com>]

Hi All,

I've checked the Tomcat-User and Struts-User archives for an answer to this,
but am still not sure of the answer.  Given that I can set a session timeout
interval in Tomcat's configuration file (web.xml), the web application
itself (web.xml), and also by setting
'session.setMaxInactiveInterval(#secs)', who wins?  In other words, if I
have the following:

	Tomcat				timeout is 30 minutes
	Web Appl.			timeout is 45 minutes
	session.setMaxInactiveInterval	3600 seconds (or 60 minutes)

does the users session 'live' for the full 60 minutes?  Or does one of the
other settings take precedence?

TIA!

Jerry Jalenak
Web Publishing
LabOne, Inc.
10101 Renner Blvd.
Lenexa, KS  66219
(913) 577-1496
jerry.jalenak@labone.com


This transmission (and any information attached to it) may be confidential and is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient or the person responsible for delivering the transmission to the intended recipient, be advised that you have received this transmission in error and that any use, dissemination, forwarding, printing, or copying of this information is strictly prohibited. If you have received this transmission in error, please immediately notify LabOne at the following email address: securityincidentreporting@labone.com



--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Session Timeout - Who has the final decision?

["Craig R. McClanahan" <cr...@apache.org>]

On Mon, 27 Jan 2003, Jerry Jalenak wrote:

> Date: Mon, 27 Jan 2003 13:22:47 -0600
> From: Jerry Jalenak <Je...@LABONE.com>
> Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> To: "'tomcat-user@jakarta.apache.org'" <to...@jakarta.apache.org>
> Subject: Session Timeout - Who has the final decision?
>
> Hi All,
>
> I've checked the Tomcat-User and Struts-User archives for an answer to this,
> but am still not sure of the answer.  Given that I can set a session timeout
> interval in Tomcat's configuration file (web.xml), the web application
> itself (web.xml), and also by setting
> 'session.setMaxInactiveInterval(#secs)', who wins?  In other words, if I
> have the following:
>
> 	Tomcat				timeout is 30 minutes
> 	Web Appl.			timeout is 45 minutes
> 	session.setMaxInactiveInterval	3600 seconds (or 60 minutes)
>

Whichever value is set last always wins.  Presumably, if your app is
explicitly setting this, it was done after the session was created (which
is when the initial default value is applied).  You can call
setMaxInactiveInterval() on a given session instance as many times as you
like, and the last value you set is always the one that will apply when
the current request completes.

> does the users session 'live' for the full 60 minutes?  Or does one of the
> other settings take precedence?

Well, you could always *try* this and see for yourself too :-).

>
> TIA!
>
> Jerry Jalenak

Craig



--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

RE: Session Timeout - Who has the final decision?

[mech <me...@rz.fh-augsburg.de>]

IMHO: Your web app web.xml overrides Tomcat's web.xml. Your application
code overrides both.

> 
> I've checked the Tomcat-User and Struts-User archives for an 
> answer to this, but am still not sure of the answer.  Given 
> that I can set a session timeout interval in Tomcat's 
> configuration file (web.xml), the web application itself 
> (web.xml), and also by setting 
> 'session.setMaxInactiveInterval(#secs)', who wins?  In other 
> words, if I have the following:
> 
> 	Tomcat				timeout is 30 minutes
> 	Web Appl.			timeout is 45 minutes
> 	session.setMaxInactiveInterval	3600 seconds (or 60 minutes)
> 
> does the users session 'live' for the full 60 minutes?  Or 
> does one of the other settings take precedence?
> 
>


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>