A session is started for the web browser when it connects to your application. Tomcat closes the session on the server when the maximum period of inactivity has passed (30 minutes).
This timeout is reset whenever there is activity on the web browser, such as refreshing the current page or navigating through other pages under the application control. Merely keeping a browser window open does not keep the session open because it does not generate any activity on the browser.
You can set it in the web.xml file as you described.
You can also set it for the session object by calling setMaxInactiveInterval(int interval)
This specifies the time, in seconds, between client requests before the servlet container will invalidate this session.
You have to make sure, that the cookies are enabled for your browser. Otherwise you create a new Session with each request. You should call the HttpServletResponse.encodeURL(String url) for each URL in your application. From the api doc:
"Encodes the specified URL by including the session ID in it, or, if encoding is not needed, returns the URL unchanged. The implementation of this method includes the logic to determine whether the session ID needs to be encoded in the URL. For example, if the browser supports cookies, or session tracking is turned off, URL encoding is unnecessary.
For robust session tracking, all URLs emitted by a servlet should be run through this method. Otherwise, URL rewriting cannot be used with browsers which do not support cookies."