Recipe 11.2 Setting the Session Timeout in All Tomcat Web Applications

Problem

You want to configure a session timeout period for all of the web applications that are running within an instance of Tomcat.

Solution

Set the session timeout within the session-config element in <Tomcat-installation-directory>/conf/web.xml.

Discussion

You can set the session timeout for all web applications by configuring Tomcat's default conf/web.xml file. If the deployment descriptor for a particular web application does not have a session-config element, then the application uses the value set in conf/web.xml as the default session timeout. The content of the session-timeout element (nested within session-config) represents the time in minutes until an inactive session expires.

Example 11-4 shows the session-config element in the default web.xml file for Tomcat 4.1.x, with the accompanying XML comment.

Example 11-4. The session-config element inside of the default Tomcat web.xml file

<!--=================== Default Session Configuration ================-->
<!-- You can set the default session timeout (in minutes) for all newly-->
<!-- created sessions by modifying the value below.-->

    <session-config>
        <session-timeout>30</session-timeout>
    </session-config>

On application deployment, Tomcat processes its default web.xml file, followed by the deployment descriptors for each web application. Your own session-config element overrides the one specified in conf/web.xml. It is usually a better idea to configure sessions for each web application individually, particularly if they are designed to be portable.

See Also

Recipe 11.1 on configuring the session timeout; Recipe 11.3 on setting the session timeout programmatically; Recipe 11.4 on checking the validity of a session; Chapter 1 on web.xml; Chapter 7 of the Servlet v2.3 and 2.4 specifications on sessions; the session-tracking sections of Java Servlet Programming by Jason Hunter (O'Reilly) and JavaServer Pages by Hans Bergsten (O'Reilly).