Java – using web XML and setmaxinactivitinterval set the difference between session timeouts
I asked the user to authenticate in the session and the session timed out after 10 minutes of inactivity After the session times out, any further requests from the current expired session will be redirected to the timeout page I have studied this aspect and come up with two different methods
Method #1:
On the web XML, I have the code mentioned below
<session-config>
<session-timeout>10</session-timeout>
</session-config>
Method #2:
I have the code mentioned below in the authenticated page
response.setHeader("Cache-Control","no-cache,no-store,must-revalidate"); // HTTP 1.1.
response.setHeader("Pragma","no-cache"); // HTTP 1.0.
response.setDateHeader("Expires",0); // Proxies.
request.getSession().setMaxInactiveInterval(600);
Now my question is what is the difference between the two methods? Which is better or recommended? And when using the method #2, if the end user navigates away from the authenticated page but has not logged off, will the session still time out after 10 minutes of inactivity?
Solution
Session timeouts can be set at various levels:
>In the application server, there is usually a default setting that can be changed – it is the default setting for all applications or for a given application (depending on the server configuration function). > Then in the application descriptor – you can use web XML overrides it – it will be used for all sessions in a given application > and then in the application code – you can use session Setmaxinactivival() overrides it, and it will only be overwritten by the session
As Roman wrote, no matter how you set it, the container will invalidate it when the timeout expires
You should avoid using the programming method (the last one) because it is easy to miss a session and it will get a default timeout, and you will have inconsistent behavior If you want to ensure a given timeout (business requirement) and do not want to rely on server functionality, use web xml.