(for Tomcat) in conf/web.xml (or inside the individual application's WEB-INF/web.xml) there is a session configuration tag.
If you set the timeout to -1 that means "never" but I've seen some people say that it means "when the browser closes". So you might investigate if using -1 gives you the behaviour you want.
[ February 10, 2003: Message edited by: Mike Curwen ]
It's not possible.
The reason that it appears to work for tomcat is in my opinion: Tomcat sends a temporary cookie which is not permanently saved on the browser. It contains the jsessionid. When the browser is closed the temporary cookie is discarded. After restarting and reconnecting tomcat finds that the browser doesn't send a jsessionid and thus creates a new session for this client. This creates the effect that you're logged off after exiting the browser.
Originally posted by Pete Harris:
Yes off-course and some people do turn off the power of their computer or disconnect from the internet. So this doesn't work for every case.
What about this:
Create a kind of cookie listener, which destroys sessions after inactivity of 5 minutes or something.
Originally posted by Asher Tarnopolski:
you don't need a cookie listener, every time the user clicks another link inside your application the session's maxinactiveinterval can be updated to the new value.
in any case stefan is totally right.
This type of session management is done automatically by the servlet container. All that is required is to set the sesion timeout time in the web.xml file under the session-timeout tag. If no request is received within the time specified, the session is automatically invalidated.
Otherwise your only option (and this is the one I took) is to have standard timeouts controlled by the container, but also have a warning on the login screen saying that if you already have a session active, re-logging in will destroy the old session.
If the user tries to log on again from the same IP address before the session has expired, it's probably because they closed the browser. you should offer the choice of closing their old session and starting a new one.
if the user tries to log on again from a different IP address, then it is probably because the browser is still open on the old machine, and may mean that two people are using the same userid. In this case it's usually best to refuse the login with a message indicating that the user is already logged in elsewhere.
A much better solution, usually, is to build your application so that it doesn't care if the same user logs on twice. Makes testing much easier too!