Session timeout confusion - session.setMaxInactiveInterval(0)

java session jakarta-ee glassfish session-timeout
JEENoob picture JEENoob · Jan 11, 2014 · Viewed 24.8k times · Source

I am new to JEE and this is what confuses me. According to HttpSession.html#setMaxInactiveInterval(int interval) documentation

An interval value of zero or less indicates that the session should never timeout.

but according to my text book (which already is few years old - so I expect it not to be always right) using zero as argument should cause session to timeout immediately.

This code 

public class Test extends HttpServlet {

    protected void doGet(HttpServletRequest request,
            HttpServletResponse response) throws ServletException, IOException {

        response.setContentType("text/html");
        response.setCharacterEncoding("utf-8");

        PrintWriter out = response.getWriter();

        HttpSession session = request.getSession();
        session.setAttribute("foo", 42);
        session.setMaxInactiveInterval(0);

        out.println(session.getAttribute("foo"));//problem here

    }
}

used on Glassfish 4.0 seems to confirm theory from textbook instead of newer official documentation because it returns HTTP Status 500 - Internal Server Error with error message

java.lang.IllegalStateException: getAttribute: Session already invalidated

What is going on here? Is this Glassfish 4.0 bug or documentation is wrong? Or maybe there is third option?

PS. This code works as it should with negative values (session is not invalidated) and I am using -1 instead of 0 in my code. I am just interested what is wrong with 0.

Answer

Sotirios Delimanolis picture Sotirios Delimanolis · Jan 11, 2014

The Servlet Specification chapter on Session Timeouts states

By definition, if the time out period for a session is set to -1, the session will never expire.

So GlasshFish seems to have that covered. I can't find any reference in the specification that says that the same should be true for a value of 0 with setMaxInactiveInterval(). However it does say

The session-config defines the session parameters for this Web application. The sub-element session-timeout defines the default session time out interval for all sessions created in this Web application. The specified time out must be expressed in a whole number of minutes. If the time out is 0 or less, the container ensures the default behavior of sessions is never to time out. If this element is not specified, the container must set its default time out period.

Related questions

How to set session timeout dynamically in Java web applications?

I need to give my user a web interface to change the session timeout interval. So, different installations of the web application would be able to have different timeouts for their sessions, but their web.xml cannot be different. Is …

Read More
How can I manually load a Java session using a JSESSIONID?

I have a servlet which handles a multipart form post. The post is actually being made by a Flash file upload component embedded in the page. In some browsers, the Flash-generated POST doesn't include the JSESSIONID which is making it …

Read More
Sessions in struts2 application

I have created a web application in which I need to maintain the session if a user session is there, and then and only then will it allow the user to see the jsp. I have worked with jsp servlets …

Read More