On 06/11/2016 11:24, André Warnier (tomcat) wrote: > On 04.11.2016 20:06, Mark Thomas wrote:
<snip/> >> I did say "patches welcome" to André but since he is a committer that >> should have been "commits welcome" ;) >> > > Guys, you all know my level of (in)competence in matters deeply Java. You might be surprised at just how little Java I knew when I was made a committer. > I got my kudos by trying to help people in a general sense here, but > when things seem to involve specific parts deep down the Tomcat code, I > have to call for help. As always, happy to provide pointers. This should end up as a docs fix which I'd encourage you to consider tackling yourself. > What I know is this, from the Servlet Specs 3.0 final : > > quote > > 12. session-config Element > > The session-config defines the session parameters for this Web application. > The sub-element *session-timeout* defines the default session time out > interval > for all sessions created in this Web application. The specified time out > must be > expressed in a whole number of minutes. If the time out is 0 or less, > the container > ensures the default behavior of sessions is never to time out. If this > element is not > specified, the container must set its default time out period. > > unquote > > So it appears that there is a difference between : > - the WEB-INF/web.xml of a webapp specifying a session-timeout > 0, in > minutes > - the WEB-INF/web.xml of a webapp specifying a session-timeout =< 0 > (meaning, no timeout or "infinite") > - the WEB-INF/web.xml of a webapp not specifying a session-timeout > (container should supply a default value) > > Which thus raises the question : if a web application does not set the > session-timeout, what value is returned by Tomcat for > getMaxInactiveInterval() ? > > And the auxiliary question : can this (default) value be set somewhere > in the configuration, or is this set in code ? > > (Or is that the one that is set in (tomcat)/conf/web.xml : > <session-config> > <session-timeout>30</session-timeout> > </session-config> > ?) You are correct. The value from conf/web.xml provides the default if the application's web.xml does not provide one. > (and what happens if we remove that stanza from conf/web.xml ?) There is a hard-coded default of 30 minutes (i.e. the same as the explicit default in conf/web.xml) in o.a.catalina.core.StandardConetxt. All of the above assumes that the standard components are being used. Custom session managers, session implementations and/or Contexts could all modify this behaviour. To add to the fun, there is, effectively, an undocumented attribute on Context - sessionTimeout - that could also be set in server.xml / context.xml. Overall, the order of precedence should be: - application specific web.xml - conf/web.xml default - sessionTimeout attribute on Context - hard-coded default. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
