What is the difference between session-timeout and max-age in web.xml?

servlets cookies web.xml session-timeout
Koray Tugay picture Koray Tugay · Jan 30, 2016 · Viewed 13.2k times · Source

I am not sure if I understand:

<session-config>
    <session-timeout>30</session-timeout> <!-- 30 minutes! -->
    <cookie-config>
        <http-only>true</http-only>
        <max-age>1800</max-age> <!-- 1800 seconds: 30 minutes! -->
    </cookie-config>
    <tracking-mode>COOKIE</tracking-mode>
</session-config>

Also, is there any way to configure ALL cookies in web.xml? This seems to apply to session cookies only. Do I need a filter for such feature?

Answer

Luiz Tavares picture Luiz Tavares · Jan 30, 2016

Why do we even need this? Quoting the Servlet 3.0 specification:

In the HTTP protocol, there is no explicit termination signal when a client is no longer active. This means that the only mechanism that can be used to indicate when a client is no longer active is a time out period.

The web-commons schema really nails explaining it:

The session-timeout element defines the default session timeout interval for all sessions created in this web application. The specified timeout must be expressed in a whole number of minutes.

If the timeout is 0 or less, the container ensures the default behaviour of sessions is never to time out. If this element is not specified, the container must set its default timeout period.


The web-commons schema also got something for us about the max-age element:

The lifetime (in seconds) that will be assigned to any session tracking cookies created by this web application. Default is -1


And to answer your last question:

Also, is there any way to configure ALL cookies in web.xml? This seems to apply to session cookies only. Do I need a filter for such feature?

I don't think so. The easiest™ way to do so IMHO would be to subclass HttpServletResponseWrapper overriding the addCookie() method.


So to sum it up:

  • session-timeout configures how long the session will linger around consuming server resources, even when not being actively accessed.

  • max-age configures how long the client browser will keep the session cookie. This setting only applies to the lifetime of the cookie: it won't do a thing if you're using URL rewriting, and it has absolutely nothing to do with how long the sessions are kept at the server-side. The default, -1, keeps the cookie for as long as the browser session is active.

Useful links:

Servlet 3.1 JSR-340 specification page:
http://download.oracle.com/otndocs/jcp/servlet-3_1-fr-eval-spec/index.html

The web-commons XSD is available at:
http://www.oracle.com/webfolder/technetwork/jsc/xml/ns/javaee/web-common_3_0.xsd

Related questions

How do you remove a Cookie in a Java Servlet

How do you remove a cookie in a Java servlet? I tried this: http://www.jguru.com/faq/view.jsp?EID=42225 EDIT: The following now works successfully it appears to be the combination of: response.setContentType("text/html"); and cookie.…

Read More
Differences between cookies and sessions?

I am training in web developement and am learning about JSP & Servlets. I have some knowledge of HttpSession - I have used it in some of my sample projects. In browsers I have seen the option to "delete cookies". …

Read More
Best option for Session management in Java

Best way managing session in Java. I heard that cookies are not reliable option for this as they gets stored into browser and can be accessed later on? Is this correct? If possible please come up with the answers with …

Read More