The Java EE 5 Tutorial

Session Management

Because there is no way for an HTTP client to signal that it no longer needs a session, each session has an associated timeout so that its resources can be reclaimed. The timeout period can be accessed by using a session’s [get|set]MaxInactiveInterval methods.

    You can also set the timeout period in the deployment descriptor using NetBeans IDE:

  1. Open the web.xml file in the web.xml editor.

  2. Click General at the top of the editor.

  3. Enter an integer value in the Session Timeout field. The integer value represents the number of minutes of inactivity that must pass before the session times out.

To ensure that an active session is not timed out, you should periodically access the session by using service methods because this resets the session’s time-to-live counter.

When a particular client interaction is finished, you use the session’s invalidate method to invalidate a session on the server side and remove any session data. The bookstore application’s ReceiptServlet is the last servlet to access a client’s session, so it has the responsibility to invalidate the session:

public class ReceiptServlet extends HttpServlet {
     public void doPost(HttpServletRequest request,
                    HttpServletResponse response)
                     throws ServletException, IOException {
        // Get the user’s session and shopping cart
        HttpSession session = request.getSession();
        // Payment received -- invalidate the session