I configured the application.properties to have a one second session time out.
(I was just doing this to test session time out in my application. The real application will have a much longer session)
server.session.timeout=1
server.session.tracking-modes=cookie
In the browser, i refreshed the page every 5 seconds to see if JSESSIONID is changing. But looks like it isn't.
Although, I tried refreshing after a while, the JSESSIONID changed.
Is there a minimum session time out in spring boot?
server.session.timeout works only in case of embedded tomcat container and not in case of Standalone.
If you want to set it , you have to configure it in web.xml
something like below:
<session-config>
<session-timeout>1</session-timeout>
</session-config>
so in this case, session timeout will be set to 1 min
Related
I need to know if its possible to set a forced session time-out at a WEB SERVER level, that basically after x period of time, kicks the user from the session either it is active or inactive or better saying WEBSERVER to delete the session linked to the client.
Can this be achieved without development intervention on the application side?
Is this possible to do it with Tomcat? Thank you.
You can do it through Tomcat default web.xml configuration
<session-config>
<session-timeout>10</session-timeout> <!-- 10 minutes -->
</session-config>
For full reference: https://tomcat.apache.org/tomcat-5.5-doc/appdev/web.xml.txt
The file can be located in conf/web.xml (relative to your tomcat installation)
Edit
You can also invalidate a given session using session.invalidate() method
you can set the time when you create a session using setMaxInactiveInterval(int interval);
either make it constant or fetch from database depending on users time..!
I'm running a wicket application in tomcat 7 and was trying to set timeout to 60 minutes.
As described in tomcat documentation I configured web.xml setting it this
way
<session-config>
<session-timeout>60</session-timeout>
</session-config>
To test this was working OK I tried 1st with 5 minutes and everything worked as expected.
But when I set in in 60 minutes the session expired at 30, to be fair something like 35 that was my test.
I've looked in the web, and although some people mentioned this problem no solution or bug comment was provided.
For now just trying to detect if this is a wicket problem or a tomcat7 problem, takes very long to test :-).
Has anyone faced a similar problem
Thanks very much
tonio
Wicket doesn't read/write the session timeout anywhere, so it is not to blame. You can try with simple application that has just a Servlet to verify.
The Servlet API provides a way to set this setting with http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpSession.html#setMaxInactiveInterval(int)
The solution is what marting-g described
In my case:
Create/Configure an HttpSessionListener
Configure sessionCreated() method to set the maxInactiveInterval taken from a properties file.
Works perfectly ok
thanks all
I have configured a 20 minute session timeout in the web.xml file of my war. But I am calling my servlet to keep the session active after 20 minutes using this JavaScript code:
setInterval(function () {
$.get("sessionKeepAlive");
}, 240000);
Everything is working fine in the Dev environment, but in QA it's not working. We are using a load-balancer in QA. I want to know if there is anything that we can change in the server configuration cse to get around this issue.
web.xml:
<session-config>
<session-timeout>10</session-timeout>
</session-config>
Ok there can be a number of things to look at:
Since you are using a Load Balancer, it suggests you are using multiple Java servers (app servers or servlet containers) - you should ensure your Session sharing (clustering) mechanism is properly configured. Also, your back-end server may require you to add the <distributable /> tag to your web.xml. (The downside of this approach is that sharing sessions across more than a handful of back-end servers is not really advisable, unless absolutely necessary)
An alternative option to using clustering/session sharing, as mentioned by #piet.t is to ensure that Session stickiness is enabled on your load balancer - this would ensure that requests using the same session always go back to the same server. (The downside of this approach is that you risk losing a lot of sessions if 1 server dies)
As #JB Nizet suggested in the comments above, you should ensure your AJAX GET request is not being returned from the browser cache - this is sometimes done by adding a random number to each GET request (eg. The time in milliseconds)
Thanks all for your reply :)
I just checked and found that the session stickiness time on the load-balancer is 3 minutes. This means the load-balancer can send the request to any server after 3 minutes even if the session is active.
For time being I have changed the js method, and later I will update the session active time on the load-balancer.
setInterval(function () {
$.get("sessionKeepAlive");
}, 240000);
I've enabled sessions on my app:
// appengine-web.xml
<sessions-enabled>true</sessions-enabled>
they seem to work when I load different pages under my domain. If I close the browser however, looks like the session is terminated. Restarting the browser shows the last session is no longer available.
That could be fine, just wondering if this is documented anywhere, so I can rely on this fact?
I tried the following just to test if we can tweak it:
// in web.xml
<session-config>
<session-timeout>10</session-timeout>
</session-config>
also
// in my servlet
getThreadLocalRequest().getSession().setMaxInactiveInterval(60 * 5);
but same behavior, session data is no longer available after browser restart.
I looked at the stats for my project and I see data being used for something like "_ah_SESSION" objects. Are those the sessions from above? If so, shouldn't they be cleaned since they're no longer valid? (Hopefully gae takes care of that automatically?)
Thanks
Using Google accounts, session expiry is actually handled in the App Engine admin console, not through Java. Log in to your admin console at http://appengine.google.com/ and select 'Application Settings', then change 'Cookie Expiration' to whatever period suits you best.
That is how a session works. JSESSIONID typically holds the session ID in the HTTP.
When the browser closes the session the session still stays active in the server and all expired sessions are freed after a period of time.
When you reopen a new browser session the browser has no idea on any previous sessions so a new one is created.
There are workarounds for this...
- Create a Cookie
- Store a unique variable in a hidden form field and use that.
- URL rewriting
By default Jetty* sets a JSESSIONID cookie ( session based ) which means that it will be deleted after your browser is closed.
When the browser is opened again, a new JSESSIONID cookie will be created and the previous session context is lost.
If you want to keep the cookie alive for longer then just add the following configuration on your web.xml:
Set cookie expiration time
<context-param>
<param-name>org.mortbay.jetty.servlet.MaxAge</param-name>
<!-- amount of seconds (1 month in this case) -->
<param-value>2592000</param-value>
</context-param>
Additionally you should let google know for how long shall it keep the sessions in _ah_SESSION
Set session expiration time
<session-config>
<!-- minutes of inactivity: (1 month in this case) -->
<session-timeout>43200</session-timeout>
</session-config>
*Other Jetty configurations can be found here: https://wiki.eclipse.org/Jetty/Howto/SessionIds
If I do not specify the following in my web.xml file:
<session-config>
<session-timeout>10</session-timeout>
</session-config>
What will be my default session timeout? (I am running Tomcat 6.0)
If you're using Tomcat, it's 30 minutes. You can read more about it here.
You can also set this in code, for a specific session using the HttpSession setMaxInactiveInterval API:
Specifies the time, in seconds,
between client requests before the
servlet container will invalidate this
session. A negative time indicates the
session should never timeout.
I mention this in case you see timeouts that are not 30 minutes, but you didn't specify another value (e.g. another developer on the project used this API).
Another item to note is this timeout may not trigger on the exact second the session is eligible to expire. The Java EE server may have a polling thread that checks for expired sessions every minute. I don't have a reference for this, but have seen this behavior in the WebSphere 5.1 era.
I'm sure it depends on your container. Tomcat is 30 minutes.
Session Time out we can specify for that particular context in web.xml file as mentined below entry
60
Default Session time out is 30 mins