Randy Layman wrote:
> Section 1.4.3 of the JSP 1.1 Final Spec (page 24). Its available at
> http://www.javasoft.com/products/jsp/download.html
> <http://www.javasoft.com/products/jsp/download.html>
>
> My own understanding: Session starts at the first time a user in a
> particular web browser instance requests a "resource" from Tomcat. The
> session ends after the user hasn't make any more requests - default
> configuration this is about 30 minutes (I believe, I've always reset this to
> something else). There are some caveats about the instances of web browsers
> - some browsers have bugs that allow a session to be used by two separate
> instances if you're using cookie based sessions.
>
With slightly more precision:
* A session starts when a request is made to a servlet or JSP page
that initiates it. For servlets, you have to do this deliberately by
calling request.getSession(). JSP pages create a session for you
(if it doesn't exist already) unless you tell it not to in your <%@ page %>
directive.
* A session ends when it either times out (see more below) or you
call session.invalidate() on it. The latter would typically be done
by your "logout" processing.
Session timeouts are based on the time between requests, not the total time that
the session has been in existence. The default session timeout is configured in
your web.xml file; you can also adjust it on the fly by calling
session.setMaxInactiveInterval().
You will want the servlet 2.2 spec (referenced in an earlier email message) as
well as the JSP spec to get the complete picture here.
>
> Randy
>
Craig McClanahan
