servlets - What is the difference between session-timeout and max-age in web.xml?

Question

I am not sure if I understand:

<session-config>
    <session-timeout>30</session-timeout> <!-- 30 minutes! -->
    <cookie-config>
        <http-only>true</http-only>
        <max-age>1800</max-age> <!-- 1800 seconds: 30 minutes! -->
    </cookie-config>
    <tracking-mode>COOKIE</tracking-mode>
</session-config>

Also, is there any way to configure ALL cookies in web.xml? This seems to apply to session cookies only. Do I need a filter for such feature?

Answer 1

Why do we even need this? Quoting the Servlet 3.0 specification:

In the HTTP protocol, there is no explicit termination signal when a client is no longer active. This means that the only mechanism that can be used to indicate when a client is no longer active is a time out period.

The web-commons schema really nails explaining it:

The session-timeout element defines the default session timeout interval for all sessions created in this web application. The specified timeout must be expressed in a whole number of minutes.

If the timeout is 0 or less, the container ensures the default behaviour of sessions is never to time out. If this element is not specified, the container must set its default timeout period.

The web-commons schema also got something for us about the max-age element:

The lifetime (in seconds) that will be assigned to any session tracking cookies created by this web application. Default is -1

And to answer your last question:

Also, is there any way to configure ALL cookies in web.xml? This seems to apply to session cookies only. Do I need a filter for such feature?

I don't think so. The easiest™ way to do so IMHO would be to subclass HttpServletResponseWrapper overriding the addCookie() method.

So to sum it up:

• session-timeout configures how long the session will linger around consuming server resources, even when not being actively accessed.

• max-age configures how long the client browser will keep the session cookie. This setting only applies to the lifetime of the cookie: it won't do a thing if you're using URL rewriting, and it has absolutely nothing to do with how long the sessions are kept at the server-side. The default, -1, keeps the cookie for as long as the browser session is active.

---

Useful links:

Servlet 3.1 JSR-340 specification page:
http://download.oracle.com/otndocs/jcp/servlet-3_1-fr-eval-spec/index.html

The web-commons XSD is available at:
http://www.oracle.com/webfolder/technetwork/jsc/xml/ns/javaee/web-common_3_0.xsd