I am not sure if I understand:
<session-config>
<session-timeout>30</session-timeout> <!-- 30 minutes! -->
<cookie-config>
<http-only>true</http-only>
<max-age>1800</max-age> <!-- 1800 seconds: 30 minutes! -->
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
Also, is there any way to configure ALL cookies in web.xml? This seems to apply to session cookies only. Do I need a filter for such feature?
Why do we even need this? Quoting the servlet 3 spec:
In the HTTP protocol, there is no explicit termination signal when a
client is no longer active. This means that the only mechanism that
can be used to indicate when a client is no longer active is a time
out period.
The web-commons schema really nails explaining it:
The session-timeout element defines the default session timeout interval for all sessions created in this web application. The specified timeout must be expressed in a whole number of minutes.
If the timeout is 0 or less, the container ensures the default behaviour of sessions is never to time out.
If this element is not specified, the container must set its default
timeout period.
The web-commons schema also got something for us about the max-age:
The lifetime (in seconds) that will be assigned to any session tracking cookies created by this web application. Default is -1
to sum it up:
session-timeout configures how long the session will linger around consuming server resources, even when not being actively accessed.
max-age configures how long the client browser will keep the session cookie. This setting only applies to the lifetime of the cookie: it won't do a thing if you're using url rewriting, and it has absolutely nothing to do with how long the sessions are kept at the server-side. The default, -1, keeps the cookie for as long as the browser session is active.
Servlet 3.1 JSR page:
http://download.oracle.com/otndocs/jcp/servlet-3_1-fr-eval-spec/index.html
The web-commons xsd is available at:
http://www.oracle.com/webfolder/technetwork/jsc/xml/ns/javaee/web-common_3_0.xsd
The edited question asks:
Also, is there any way to configure ALL cookies in web.xml? This seems
to apply to session cookies only. Do I need a filter for such feature?
I don't think so.
The easiest™ way to do so IMHO would be to subclass
javax.servlet.http.HttpServletResponseWrapper overriding addCookie().
Before explaining what they are be sure to understand a few things. From your question it is clear you are already aware of the first but perhaps confused about the second item in the below list:
- the two settings use different units (
session-timeout
is in minutes whereas max-age
is in seconds)
- they measure time in different ways:
session-timeout
measures time in a relative way, max-age
measures time in an absolute way (explained further below)
- they are taken into account and enforced by different software components. The
session-timeout
is taken into account by the container, whereas the max-age
is taken into account and enforced by the user's browser. Equivalently, you may say that session-timeout
applies to the server-side whereas max-age
applies to the client side.
session-timeout
gives the maximum idle duration before the container decides to destroy the session object representing your "connection" in the server. This means that you may set the value of session-timeout
to just 1 minute and still manage to keep the session object in the server forever as long as your browser sends HTTP GET, POST etc. messages to the server once every 59 seconds.
max-age
is used by the user's browser to compute an absolute, fixed, point in time, beyond which the session cookie (JSESSIONID
in Java) will no longer be sent to the server. This is an absolute value and, as such, activity or inactivity on behalf of the user makes no difference. That's why if you examine the cookies in the developer console of your browser you see an absolute timestamp for the session cookie:
Caveat: An exception to the above description on the value of max-age
denoting a fixed point in time, is if the specially interpreted value -1
is used. In such a case that's what you see in the developer console:
… and also as explained in this answer this means that the browser will keep sending the cookie for the duration of the "browser session". I am putting "browser session" in quotes to differentiate it from server-side sessions. How the concept of a session is understood by a browser (e.g. whether different tabs correspond to different sessions) is implementation-specific.
Given the different semantics of session-timeout
and max-age
, it follows that attempts to "align" the two values like the web.xml
excerpt you provide in your question:
<session-config>
<session-timeout>30</session-timeout> <!-- 30 minutes! -->
<cookie-config>
<http-only>true</http-only>
<max-age>1800</max-age> <!-- 1800 seconds: 30 minutes! -->
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
… likely indicate confusion.
max-age
provides a hard limit (unless the special value -1
is used) whereas session-timeout
effectively provides no limit, as long as the user actively uses the session.
Regarding the default and specially interpreted values (0
for the session-timeout
and -1
for max-age
) and whether you can configure those values for all cookies (as opposed to just the session cookie), these points are explained in this answer.
<session-timeout>
is the maximum duration of unused session (from the time of the last request). When a session is not used (no request) for that amount of time, the server-side application kills the session (you can catch this event and implement your own behaviour ).
Session cookie max-age
defines how long this cookie is stored in user browser.
To conculde, when a session cookie reaches his max-age, the session is forced to disconnect. In the other case, when a session is disconnected by session-timemout
event, the session-cookie might still be present on user browser