tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Where to find session cookies
Date Thu, 28 Jun 2007 13:13:28 GMT
Hash: SHA1


Johnny Kewl wrote:
> I think they actually referring to Session cookies, and making Tomcat
>  never timeout a session.

TC will eventually timeout a session unless it is still in use. Just
because the cookie has no expiration doesn't mean that the session has
no expiration.

If the session is in use, there's no sense in expiring it. If you have
many in-use sessions and you run out of memory, then you haven't done
your capacity planning properly.

> So I think that if attributes and session beans never ever die, they 
> will eventually amass a major amount of memory...

"Session beans" aren't necessarily tied to a user's session in the
servlet API sense. If you mean "beans in the session", see above...

> in the ops first question he was asking about session timeouts... and
> making them last forever.

I must have totally missed that. I'll bet there's no way to make a
session last forever.

A "don't log me out, ever" setting on a webapp usually works outside of
the session management provided by the container, but also works with
it. The browser sends a "keep me logged-in" cookie to the server, and if
the user is not currently logged-in, you perform an "automatic login"
which does not require credentials but still gives you a session.

This gives the user the illusion of a session that never expires but, of
course, the session /does/ expire so that the server doesn't explode
with non-expiring sessions.

If app servers kept sessions indefinitely, they would crash every day :(

- -chris
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla -


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message