You normally use the HttpSession to maintain a logged in user. You can set its timeout in the web.xml. The default timeout is 30 minutes. When an user logs in successfully, you set the representing User object (or some other key indicating a logged in user) in the session. When an user logs out, you simply invalidate the session so that the user can continue with a fresh start. Or you just let the session expire which automatically logs out the user. The HttpSession attributes are accessible by ExternalContext#getSessionMap(). The HttpSession itself is available by ExternalContext#getSession(). Alternatively you can also declare a session scoped managed bean, e.g. UserSession, which holds an User property indicating the logged in User.