I am using HttpSession’s with Tomcat 6. The first instance of Tomcat 6 that I deployed my web application in had the behavior I would expect for my Tomcat sessions (I set a maxInactiveInteval on my session to 30 minutes).
Update: I added more code to the following to demonstrate exactly how I’m setting this timeout on a session
This is how I first setup the session:
session = request.getSession(true);
session.setAttribute(USER_CREDENTIALS, new Credentials(username, password));
session.setMaxInactiveInterval(60*30);
I then have an interceptor which checks this session:
HttpSession session = request.getSession(true);
Credentials cred = (Credentials) session.getAttribute(AuthController.USER_CREDENTIALS);
Seems to work fine in the Tomcat instance I devloped with, but in another instance of Tomcat 6, in a load balanced environment, the maxInactiveInteval doesn’t seem to be respected.
Update: What I mean is that the users session expires if the user is inactive (no new requests) for approximately ten seconds.
There is no where else in the code where maxInactiveInteval is set. What could be causing this behavior?
As per the comments on the question, your concrete problem is that a loadbalanced Tomcat instance expires the sessions almost immediately. Setting/changing the
<session-timeout>andsetMaxInactiveInterval()just don’t help at all.You first need to exclude the client from being suspect by tracking the cookie traffic using Firebug and/or Fiddler. If the cookie traffic looks fine (i.e. the client returns the proper session cookie on all subsequent requests), then the loadbalancer or Tomcat configuration is broken. This is not a programming error, but food for the server admin.