Session expiry times?

Question

Hi,

I've enabled sessions on my app:

// appengine-web.xml
<sessions-enabled>true</sessions-enabled>

they seem to work when I load different pages under my domain. If I close the browser however, looks like the session is terminated. Restarting the browser shows the last session is no longer available.

That could be fine, just wondering if this is documented anywhere, so I can rely on this fact?

I tried the following just to test if we can tweak it:

// in web.xml
<session-config>
    <session-timeout>10</session-timeout>
</session-config>

also

// in my servlet
getThreadLocalRequest().getSession().setMaxInactiveInterval(60 * 5);

but same behavior, session data is no longer available after browser restart.

I looked at the stats for my project and I see data being used for something like "_ah_SESSION" objects. Are those the sessions from above? If so, shouldn't they be cleaned since they're no longer valid? (Hopefully gae takes care of that automatically?)

Thanks

Answer 1

That is how a session works. JSESSIONID typically holds the session ID in the HTTP. When the browser closes the session the session still stays active in the server and all expired sessions are freed after a period of time.
When you reopen a new browser session the browser has no idea on any previous sessions so a new one is created.
There are workarounds for this...
- Create a Cookie
- Store a unique variable in a hidden form field and use that.
- URL rewriting

Answer 2

Using Google accounts, session expiry is actually handled in the App Engine admin console, not through Java. Log in to your admin console at http://appengine.google.com/ and select 'Application Settings', then change 'Cookie Expiration' to whatever period suits you best.