Session timeout confusion - session.setMaxInactiveInterval(0)

Asked 11/1, 2014 at 15:21 Answered 9/3, 2015 at 9:38

Solved java session jakarta-ee glassfish session-timeout

I am new to JEE and this is what confuses me. According to HttpSession.html#setMaxInactiveInterval(int interval) documentation

An interval value of zero or less indicates that the session should never timeout.

but according to my text book (which already is few years old - so I expect it not to be always right) using zero as argument should cause session to timeout immediately.

This code

public class Test extends HttpServlet {

    protected void doGet(HttpServletRequest request,
            HttpServletResponse response) throws ServletException, IOException {

        response.setContentType("text/html");
        response.setCharacterEncoding("utf-8");

        PrintWriter out = response.getWriter();

        HttpSession session = request.getSession();
        session.setAttribute("foo", 42);
        session.setMaxInactiveInterval(0);

        out.println(session.getAttribute("foo"));//problem here

    }
}

used on Glassfish 4.0 seems to confirm theory from textbook instead of newer official documentation because it returns HTTP Status 500 - Internal Server Error with error message

java.lang.IllegalStateException: getAttribute: Session already invalidated

What is going on here? Is this Glassfish 4.0 bug or documentation is wrong? Or maybe there is third option?

PS. This code works as it should with negative values (session is not invalidated) and I am using -1 instead of 0 in my code. I am just interested what is wrong with 0.

Croaker answered 11/1, 2014 at 15:21 Comment(5)

The code works on Tomcat 7. Try with -1. – Johnathanjohnathon 11/1, 2014 at 15:26

@SotiriosDelimanolis Thanks. -1 works fine and since it seems safer I am using it instead of 0. I am just curious what is wrong with zero. – Croaker 11/1, 2014 at 15:32

What happens if you set the session-config session-timeout value to 0 in web.xml? – Johnathanjohnathon 11/1, 2014 at 15:34

@SotiriosDelimanolis When I remove session.setMaxInactiveInterval(0); from code and use <session-config><session-timeout>0</session-timeout></session-config> in web.xml it seems to be working fine (session is not destroyed). What is interesting session.getMaxInactiveInterval() returns -60 (in seconds) so it seems that value of session-timeout is converted to -1 (in minutes) – Croaker 11/1, 2014 at 15:39

Yes that config is in minutes while setMaxInactiveInterval is in seconds. – Johnathanjohnathon 11/1, 2014 at 15:42

The Servlet Specification chapter on Session Timeouts states

By definition, if the time out period for a session is set to -1, the session will never expire.

So GlasshFish seems to have that covered. I can't find any reference in the specification that says that the same should be true for a value of 0 with setMaxInactiveInterval(). However it does say

The session-config defines the session parameters for this Web application. The sub-element session-timeout defines the default session time out interval for all sessions created in this Web application. The specified time out must be expressed in a whole number of minutes. If the time out is 0 or less, the container ensures the default behavior of sessions is never to time out. If this element is not specified, the container must set its default time out period.

Johnathanjohnathon answered 11/1, 2014 at 15:31 Comment(1)

Thanks for specification link (I would upvote you only for that if I could). I assume that since 0 is undefined in specification for setMaxInactiveInterval but only for <session-config> Glassfish implemented it correctly (but not perfectly according to JavaDoc) so it is not a bug. Anyway you give probably best answer that non-glass-fish-emploee could give so will accept your answer. Tank you once again. – Croaker 11/1, 2014 at 16:0

This is already time out and invalidate

session.setMaxInactiveInterval(0); // mean inactive immediately

So this is correct error message. (please refer head first book for further reference.)

You are trying to access object value which is not exist. it's already destroyed

Derange answered 9/3, 2015 at 9:38 Comment(1)

Yes, I know that HF - servlets and JSP shows that for argument 0 session will be invalidated immediately, but in official documentation docs.oracle.com/javaee/7/api/javax/servlet/http/… we can read that "An interval value of zero or less indicates that the session should never timeout." which was source of my confusion. – Croaker 15/3, 2015 at 15:30

Recommended topics

Hot tags