Setting session timeout through the deployment descriptor should work - it sets the default session timeout for the web app. Calling session.setMaxInactiveInterval() sets the timeout for the particular session it is called on, and overrides the default. Be aware of the
unit difference, too - the deployment descriptor version uses minutes, and session.setMaxInactiveInterval() uses seconds.
So
<session-config>
<session-timeout>60</session-timeout>
</session-config>
sets the default session timeout to 60 minutes.
And
session.setMaxInactiveInterval(600);
sets the session timeout to 600 seconds - 10 minutes - for the specific session it's called on.
This should work in
Tomcat or Glassfish or any other
Java web server - it's part of the spec.