[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]


Session Timeouts for Web Applications

For session-based Web applications, a session is started for the Web browser when it connects to a Web server application. A session provides a timeout feature that closes the session on the server when the maximum period of inactivity has passed. The default timeout for many application servers is 30 minutes.

This timeout is reset whenever there is activity on the Web browser, such as refreshing the current page or navigating through other pages under the application's control. Merely keeping a browser window open does not keep the session open, because it does not generate any activity on the browser.

When the session closes, any application-related state must be reestablished by the Web browser. Examples include such items as redoing the login, the parameters of the session, and connection to back-end systems such as directory servers or Common Object Request Broker Architecture (CORBA) servers.

You may be able to customize the session timeout, depending on the type of Web server or Web application server that you are using. See the documentation for your Web server or Web application server for information about configuring these settings.

NOTE: Long timeouts or no timeouts not only result in security concerns for the browser, but also result in more resource usage on the servers to keep stale sessions.


The session timeout in web.xml used in a J2EE application server might be set as follows:

<web-app>
    ...
      <session-config> 
        <session-timeout>30</session-timeout> 
      </session-config>
    ...
</web-app>


[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]