SessionTimeout: web.xml vs session.maxInactiveInte

2019-01-05 10:23发布

站内问答 / Java
455 3 4

I'm trying to timeout an HttpSession in Java. My container is WebLogic.

Currently, we have our session timeout set in the web.xml file, like this 

<session-config>
    <session-timeout>15</session-timeout>
</session-config>

Now, I'm being told that this will terminate the session (or is it all sessions?) in the 15th minute of use, regardless their activity.

I'm wondering if this approach is the correct one, or should I programatically set the time limit of inactivity by 

session.setMaxInactiveInterval(15 * 60); //15 minutes

I don't want to drop all sessions at 15 minutes, only those that have been inactive for 15 minutes.

Are these methods equivalent? Should I favour the web.xml config?

3条回答
beautiful°
2楼-- · 2019-01-05 10:47

Please check seession timeout in below pseudo code

<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4"
    xmlns="http://java.sun.com/xml/ns/j2ee"`enter code here`
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instanenter code herece"
    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
    <display-name>AccountWeb</display-name>

    <listener>
        <description>[Re]configures log4j</description>
        <listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
    </listener>

    <context-param>
      <description>How often to check for changes in configfile (ms)</description>
      <param-name>log4jRefreshInterval</param-name>
      <param-value>60000</param-value>
    </context-param>
    <context-param>
      <description>Avoid setting system property as there might be several apps in same VM</description>
      <param-name>log4jExposeWebAppRoot</param-name>
      <param-value>false</param-value>
    </context-param>

    <listener>
        <description>The listener that will start Account</description>
        <display-name>AccountInitialiser</display-name>
        <listener-class>com.te.account.AccountInitializer</listener-class>
    </listener>

    <servlet>
        <display-name>Apache-Axis Servlet</display-name>
        <servlet-name>AxisServlet</servlet-name>
        <servlet-class>org.apache.axis.transport.http.AxisServlet</servlet-class>
          <load-on-startup>200</load-on-startup>
    </servlet>

    <servlet>
        <display-name>Axis Admin Servlet</display-name>
        <servlet-name>AdminServlet</servlet-name>
        <servlet-class>org.apache.axis.transport.http.AdminServlet</servlet-class>
        <load-on-startup>100</load-on-startup>
    </servlet>


    <servlet-mapping>
        <servlet-name>AxisServlet</servlet-name>
        <url-pattern>/servlet/AxisServlet</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>AxisServlet</servlet-name>
        <url-pattern>*.jws</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>AxisServlet</servlet-name>
        <url-pattern>/services/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>AdminServlet</servlet-name>
        <url-pattern>/servlet/AdminServlet</url-pattern>
    </servlet-mapping>

    <welcome-file-list>
        <welcome-file>index.html</welcome-file>
        <welcome-file>index.htm</welcome-file>
        <welcome-file>index.jsp</welcome-file>
        <welcome-file>default.html</welcome-file>
        <welcome-file>default.htm</welcome-file>
        <welcome-file>default.jsp</welcome-file>
    </welcome-file-list>
<!--    <resource-ref>
        <description>The queue used to publish logging events</description>
        <res-ref-name>jms/LoggingAppenderQueue</res-ref-name>
        <res-type>javax.jms.Queue</res-type>
        <res-auth>Container</res-auth>
        <res-sharing-scope>Shareable</res-sharing-scope>
    </resource-ref>
    <resource-ref>
        <description>The connection factory for the logging appender queue</description>
        <res-ref-name>jms/LoggingAppenderQueueConnFactory</res-ref-name>
        <res-type>javax.jms.QueueConnectionFactory</res-type>
        <res-auth>Container</res-auth>
        <res-sharing-scope>Shareable</res-sharing-scope>
    </resource-ref> -->
    <resource-ref>
        <description>
        </description>
        <res-ref-name>jdbc/AccountDB</res-ref-name>
        <res-type>javax.sql.DataSource</res-type>
        <res-auth>Container</res-auth>
        <res-sharing-scope>Shareable</res-sharing-scope>
    </resource-ref>
</web-app>
查看更多
0人赞 添加讨论(0) 举报
放我归山
3楼-- · 2019-01-05 10:51

Now, i'm being told that this will terminate the session (or is it all sessions?) in the 15th minute of use, regardless their activity.

No, that's not true. The session-timeout configures a per session timeout in case of inactivity.

Are these methods equivalent? Should I favour the web.xml config?

The setting in the web.xml is global, it applies to all sessions of a given context. Programatically, you can change this for a particular session.

查看更多
0人赞 添加讨论(0) 举报
时光不老,我们不散
4楼-- · 2019-01-05 10:58

Now, i'm being told that this will terminate the session (or is it all sessions?) in the 15th minute of use, regardless their activity.

This is wrong. It will just kill the session when the associated client (webbrowser) has not accessed the website for more than 15 minutes. The activity certainly counts, exactly as you initially expected, seeing your attempt to solve this.

The HttpSession#setMaxInactiveInterval() doesn't change much here by the way. It does exactly the same as <session-timeout> in web.xml, with the only difference that you can change/set it programmatically during runtime. The change by the way only affects the current session instance, not globally (else it would have been a static method).

To play around and experience this yourself, try to set <session-timeout> to 1 minute and create a HttpSessionListener like follows:

@WebListener
public class HttpSessionChecker implements HttpSessionListener {

    public void sessionCreated(HttpSessionEvent event) {
        System.out.printf("Session ID %s created at %s%n", event.getSession().getId(), new Date());
    }

    public void sessionDestroyed(HttpSessionEvent event) {
        System.out.printf("Session ID %s destroyed at %s%n", event.getSession().getId(), new Date());
    }

}

(if you're not on Servlet 3.0 yet and thus can't use @WebListener, then register in web.xml as follows):

<listener>
    <listener-class>com.example.HttpSessionChecker</listener-class>
</listener>

Note that the servletcontainer won't immediately destroy sessions after exactly the timeout value. It's a background job which runs at certain intervals (e.g. 5~15 minutes depending on load and the servletcontainer make/type). So don't be surprised when you don't see destroyed line in the console immediately after exactly one minute of inactivity. However, when you fire a HTTP request on a timed-out-but-not-destroyed-yet session, it will be destroyed immediately.

See also:

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)