SessionTimeout:web.xml 与 session.maxInactiveInterval() [英] SessionTimeout: web.xml vs session.maxInactiveInterval()
问题描述
我正在尝试使 Java 中的 HttpSession 超时.我的容器是 WebLogic.
I'm trying to timeout an HttpSession in Java. My container is WebLogic.
目前,我们在 web.xml 文件中设置了会话超时,如下所示
Currently, we have our session timeout set in the web.xml file, like this
<session-config>
<session-timeout>15</session-timeout>
</session-config>
现在,我被告知这将在使用的第 15 分钟终止会话(还是所有会话?),无论他们的活动如何.
Now, I'm being told that this will terminate the session (or is it all sessions?) in the 15th minute of use, regardless their activity.
我想知道这种方法是否正确,或者我应该通过以下方式以编程方式设置不活动的时间限制
I'm wondering if this approach is the correct one, or should I programatically set the time limit of inactivity by
session.setMaxInactiveInterval(15 * 60); //15 minutes
我不想在 15 分钟后放弃所有会话,只放弃那些 15 分钟不活动的会话.
I don't want to drop all sessions at 15 minutes, only those that have been inactive for 15 minutes.
这些方法等价吗?我应该喜欢 web.xml 配置吗?
Are these methods equivalent? Should I favour the web.xml config?
推荐答案
现在,我被告知这将在使用的第 15 分钟终止会话(或者是所有会话?),不管他们的活动.
这是错误的.当关联的客户端(网络浏览器)超过 15 分钟未访问该网站时,它只会终止会话.活动当然很重要,正如您最初预期的那样,看到您尝试解决此问题.
This is wrong. It will just kill the session when the associated client (webbrowser) has not accessed the website for more than 15 minutes. The activity certainly counts, exactly as you initially expected, seeing your attempt to solve this.
顺便说一下,HttpSession#setMaxInactiveInterval() 在这里没有太大变化.它与 web.xml 中的 static 方法).
The HttpSession#setMaxInactiveInterval() doesn't change much here by the way. It does exactly the same as <session-timeout> in web.xml, with the only difference that you can change/set it programmatically during runtime. The change by the way only affects the current session instance, not globally (else it would have been a static method).
要玩转并自己体验,请尝试将 HttpSessionListener 如下:
To play around and experience this yourself, try to set <session-timeout> to 1 minute and create a HttpSessionListener like follows:
@WebListener
public class HttpSessionChecker implements HttpSessionListener {
public void sessionCreated(HttpSessionEvent event) {
System.out.printf("Session ID %s created at %s%n", event.getSession().getId(), new Date());
}
public void sessionDestroyed(HttpSessionEvent event) {
System.out.printf("Session ID %s destroyed at %s%n", event.getSession().getId(), new Date());
}
}
(如果您还没有使用 Servlet 3.0,因此无法使用 @WebListener,则在 web.xml 中注册如下):
(if you're not on Servlet 3.0 yet and thus can't use @WebListener, then register in web.xml as follows):
<listener>
<listener-class>com.example.HttpSessionChecker</listener-class>
</listener>
请注意,servletcontainer 不会在恰好超时值后立即销毁会话.这是一个以特定时间间隔运行的后台作业(例如 5~15 分钟,取决于负载和 servletcontainer make/type).因此,当您在不活动一分钟后立即在控制台中没有看到 destroyed 行时,请不要感到惊讶.但是,当您在超时但尚未销毁的会话上触发 HTTP 请求时,它将立即销毁.
Note that the servletcontainer won't immediately destroy sessions after exactly the timeout value. It's a background job which runs at certain intervals (e.g. 5~15 minutes depending on load and the servletcontainer make/type). So don't be surprised when you don't see destroyed line in the console immediately after exactly one minute of inactivity. However, when you fire a HTTP request on a timed-out-but-not-destroyed-yet session, it will be destroyed immediately.
这篇关于SessionTimeout:web.xml 与 session.maxInactiveInterval()的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
