Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
578 views
in Technique[技术] by (71.8m points)

servlets - What is the difference between session-timeout and max-age in web.xml?

I am not sure if I understand:

<session-config>
    <session-timeout>30</session-timeout> <!-- 30 minutes! -->
    <cookie-config>
        <http-only>true</http-only>
        <max-age>1800</max-age> <!-- 1800 seconds: 30 minutes! -->
    </cookie-config>
    <tracking-mode>COOKIE</tracking-mode>
</session-config>

Also, is there any way to configure ALL cookies in web.xml? This seems to apply to session cookies only. Do I need a filter for such feature?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Why do we even need this? Quoting the Servlet 3.0 specification:

In the HTTP protocol, there is no explicit termination signal when a client is no longer active. This means that the only mechanism that can be used to indicate when a client is no longer active is a time out period.

The web-commons schema really nails explaining it:

The session-timeout element defines the default session timeout interval for all sessions created in this web application. The specified timeout must be expressed in a whole number of minutes.

If the timeout is 0 or less, the container ensures the default behaviour of sessions is never to time out. If this element is not specified, the container must set its default timeout period.


The web-commons schema also got something for us about the max-age element:

The lifetime (in seconds) that will be assigned to any session tracking cookies created by this web application. Default is -1


And to answer your last question:

Also, is there any way to configure ALL cookies in web.xml? This seems to apply to session cookies only. Do I need a filter for such feature?

I don't think so. The easiest™ way to do so IMHO would be to subclass HttpServletResponseWrapper overriding the addCookie() method.


So to sum it up:

  • session-timeout configures how long the session will linger around consuming server resources, even when not being actively accessed.

  • max-age configures how long the client browser will keep the session cookie. This setting only applies to the lifetime of the cookie: it won't do a thing if you're using URL rewriting, and it has absolutely nothing to do with how long the sessions are kept at the server-side. The default, -1, keeps the cookie for as long as the browser session is active.


Useful links:

Servlet 3.1 JSR-340 specification page:
http://download.oracle.com/otndocs/jcp/servlet-3_1-fr-eval-spec/index.html

The web-commons XSD is available at:
http://www.oracle.com/webfolder/technetwork/jsc/xml/ns/javaee/web-common_3_0.xsd


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...