Sessiontimeout ignored with J2EE sessions

Description

When using J2EE sessions, the application's SessionTimeout parameter is ignored. Instead, sessions time out according to the default session-timeout parameter in tomcat/conf/web.xml.

For my testing, I set the Tomcat default session timeout to 1 minute, and the application's session timeout to 5 seconds.

Application.cfc

Index.cfm

Log Output

Activity

Show:
Michael Offner
April 9, 2021, 1:04 PM

please give this a try

Michael Offner
April 9, 2021, 1:03 PM

Michael Offner
April 9, 2021, 10:15 AM

Problem is when the expired is reached it is up to the controler to remove the session, but if the controller did not yet remove it and the session is requested, it is still returned. you could argue that this is not a bad things, even the session is marked to remove, why not using it, when it is still around. mostly we do have an expired time only for keep the memory in check. But it is invalid and should be corrected.

Pothys - MitrahSoft
November 20, 2020, 7:49 AM

Okay.. Micha will confirm about this issue.

Joe Wakefield
October 16, 2020, 6:45 PM

You confirmed things work as I described it

As far as I am aware, in ColdFusion both application and Tomcat session timeout apply. Both timers will end the session, whereas Lucee seems to completely ignore the application timeout.

Fixed
Your pinned fields
Click on the next to a field label to start pinning.

Assignee

Pothys - MitrahSoft

Reporter

Joe Wakefield