In which ways the time for session timeout can be defined in Java EE? I am looking beyond obvious ways, such as setting session timeout in web.xml or HttpSession.setMaxInactiveInterval().

I am currently reviewing a Java EE application, but I can't find anything related to session timeout definition. The web app is in Weblogic. I am assuming that since there is no session timeout definition, the session will never expire.

As you're looking for how the session can be timed out in Weblogic, I can add

TimeoutSecs in weblogic.xml or check for any point in the code where session is killed by session.invalidate() on logout.

By the way, it will not be infinite.

On Weblogic, the default in web.xml (if no value specified) is to use the TimeoutSecs value in weblogic.xml, which defaults to 3600 secs i.e. 60 mins

Not Spring related:

• Control the cookie yourself by response.setHeader("Set-Cookie", cookiestring);. It's the expires attribute which controls the session timeout. This overrides any servletcontainer or web.xml defaults, but is overrideable by HttpSession#setMaxInactiveInterval() in Java code anyway.

• Configure a default at servletcontainer level. In Tomcat for example, by maxInactiveInterval attribute of <manager> element. This is overrideable by <session-timeout> in web.xml and HttpSession#setMaxInactiveInterval() in Java code anyway.

Update as per the comment and question update:

When not specified, then a servletcontainer-managed default timeout will be used. This is usually 30 minutes (which is true for Tomcat and clones). This way the session will expire 30 minutes after the last request sent by the client in the session. Also, when the client closes and reopens the browser instance or clears the cookies, then a new session will be created (the old session will be expired after the default 30 minutes timeout).