Increasing the session time out

Hi,
I have read this question at www.j2eecertification.com
Which of the following actions will cause a session to be expunged in a web application? [Check all correct answers]
1. Navigating to a different web site or web application.
2. Closing the web browser.
3. The client does not send a request to the web application for a length of time that exceeds the session timeout value of the associated session object in the application.
4. Accessing a resource which causes the associated session to be explicity invalidated by making a call to the invalidate() method of the session.
The correct answer is:
3 and 4. According to j2eecertification.
I have a some doubt at no. 3,is not possible that client(admin) uses setMaxInactiveInterval() method in order to exceed the length of time of session timeout to the associated session object.
Regards,
Nauman

Even if user(admin) did call session.setMaxInactiveInterval(int), it would only increase the time that session is allowed to be valid.
e.g. application session-timeout is 15 minutes, a servlet calls the setMaxInactiveInterval on the current session and increases the timeout to 20 minutes. As far as I know this change is only applicable to the current session object you made the call on. All the rest off the sessions that exist
will still use the default value for your application.
Once this object you made te call on has been inactive for more then the 20 minutes it is elligible to be expunged, That is why 3 is also a valid selection.
Hope this helps
Francois Groenewald

Hi Francois Groenewald,
As you said that setMaxactiveInterval(int) only increased the session timeout value for the current session and doesn't effect the default value.
But I'm not cleared from this
3)The client does not send a request to the web application for a length of time that exceeds the session timeout value of the associated session object in the application
I'm getting the meaning that associated session object is referring the current session object and that value can be changed by the client request even that would be for short time because once the session destroy this change will be gone.In this case option 3 could be wrong.
But if associated session object has other meaning then iption 3 is right.
Please some shed on it.
Regards,
Nauman

Nauman,
First, as Francois pointed out, setMaxactiveInterval(int) <- "called by servlet programmer" only effect the associated session & the value (in seconds) could be larger or smaller than the timeout value (in mins) inside the deployment descriptior.
Second, the client on (3) is on broswer side, they can not change the timeout value as they have no access to servlet code.
please correct me if I am wrong :roll:
[ September 18, 2003: Message edited by: chi Lin ]