> session.setMaxInactiveTimeout(-1);
Yeah, this is a bad idea. The session will never go away by itself. This *requires* the user to press a logout button, and for you to explicitly call session.invalidate(). Users frequently do not log themselves out, and their sessions will never die. You will eventually run out of memory.
If you need a long timeout, just make it really long (like a couple of hours). There's usually no good reason to make it -1.
PS is the session time out linked wirth inactivity? My session attribute only persists as long as I am using the app.
That's exactly how the 'inactive' timeout works.
-chris
signature.asc
Description: OpenPGP digital signature
