java 使用 web.xml 和 setMaxInactiveInterval 设置会话超时的区别
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/26183265/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Difference between setting session timeouts using web.xml and setMaxInactiveInterval
提问by Sai
I have a requirement where a user is authenticated into a session and after 10 minutes of inactivity, the session times out. Once the session times out any further requests from the now expired session is redirected to a timed out page. I have researched in this regard and came to 2 different approaches.
我有一个要求,即用户在会话中进行身份验证,并且在 10 分钟不活动后,会话超时。一旦会话超时,来自现在过期会话的任何进一步请求都会被重定向到超时页面。我在这方面进行了研究,并得出了两种不同的方法。
Approach #1:
方法#1:
In web.xml I have the code mentioned below...
在 web.xml 我有下面提到的代码......
<session-config>
<session-timeout>10</session-timeout>
</session-config>
Approach #2:
方法#2:
I have the code mentioned below inside the authenticated page...
我在经过身份验证的页面中有下面提到的代码......
response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
response.setDateHeader("Expires", 0); // Proxies.
request.getSession().setMaxInactiveInterval(600);
Now my questions are what is the difference between these two approaches? Which one is better or recommended? And also when using approach #2, if the end user navigates away from the authenticated page but has not logged out, does the session still times out after 10 mins of inactivity?
现在我的问题是这两种方法有什么区别?哪个更好或推荐?并且在使用方法#2 时,如果最终用户离开经过身份验证的页面但尚未注销,会话在 10 分钟不活动后是否仍然超时?
回答by Gas
Session timeout can be set on various levels:
会话超时可以在不同级别设置:
- In the application serverthere is usually default settings, that can be changed - it is a default for all applications, or for given application (depending on server config capabilities).
- Then in the application descriptor- you can override it by using
web.xml- it will be used for all sessions in the given application - Then in the application code- you can override it using session.setMaxInactiveInterval(), it will be overridden only for that session
- 在应用程序服务器中通常有默认设置,可以更改 - 它是所有应用程序或给定应用程序的默认设置(取决于服务器配置功能)。
- 然后在应用程序描述符中- 您可以使用覆盖它
web.xml- 它将用于给定应用程序中的所有会话 - 然后在应用程序代码中- 您可以使用 session.setMaxInactiveInterval() 覆盖它,它只会被该会话覆盖
As Roman wrote no matter how you set it, it is invalidated by the container when timeout expires.
正如 Roman 所写的,无论您如何设置它,当超时到期时,它都会被容器失效。
You should rather avoid programmatic approach (last one), as it is easy to miss some session and it will get the default timeout, and you will have inconsistent behavior. Use web.xml if you want to ensure given timeout (business requirement) and don't want to rely on server capabilities.
您应该避免编程方法(最后一种),因为很容易错过某些会话,并且会获得默认超时,并且您将出现不一致的行为。如果您想确保给定的超时(业务要求)并且不想依赖服务器功能,请使用 web.xml。
回答by Roman C
The first approach is using a static constant in the configuration for all sessions. The second approach is dynamic where you can set the value using servlet API at runtime dynamically and affected only a session which method is called. Once the value is set the session is invalidated by the container regardless which approach is used. See what the doc says about HttpSession#setMaxInactiveInterval(int):
第一种方法是在所有会话的配置中使用静态常量。第二种方法是动态的,您可以在运行时使用 servlet API 动态设置值,并且仅影响调用该方法的会话。一旦设置了该值,无论使用哪种方法,容器都会使会话无效。看看文档怎么说HttpSession#setMaxInactiveInterval(int):
Specifies the time, in seconds, between client requests before the servlet container will invalidate this session.
An interval value of zero or less indicates that the session should never timeout.
指定 servlet 容器使此会话无效之前客户端请求之间的时间(以秒为单位)。
零或更小的间隔值表示会话不应超时。
The value in deployment descriptor web.xmlis in “minutes”, but the setMaxInactiveInterval()method accepts the value in “seconds”.
部署描述符中的值以web.xml“分钟”为单位,但该setMaxInactiveInterval()方法接受以“秒”为单位的值。
