You want to configure a session timeout period for all of the web applications that are running within an instance of Tomcat.
Set the session timeout within the session-config element in <Tomcat-installation-directory>/conf/web.xml .
You can set the session timeout for all web applications by configuring Tomcat's default conf / web.xml file. If the deployment descriptor for a particular web application does not have a session-config element, then the application uses the value set in conf/web.xml as the default session timeout. The content of the session-timeout element (nested within session-config ) represents the time in minutes until an inactive session expires .
Example 11-4 shows the session-config element in the default web.xml file for Tomcat 4.1.x, with the accompanying XML comment.
Example 11-4. The session-config element inside of the default Tomcat web.xml file
<!--=================== Default Session Configuration ================--> <!-- You can set the default session timeout (in minutes) for all newly--> <!-- created sessions by modifying the value below.--> <session-config> <session-timeout>30</session-timeout> </session-config>
On application deployment, Tomcat processes its default web.xml file, followed by the deployment descriptors for each web application. Your own session-config element overrides the one specified in conf/web.xml . It is usually a better idea to configure sessions for each web application individually, particularly if they are designed to be portable.
Recipe 11.1 on configuring the session timeout; Recipe 11.3 on setting the session timeout programmatically; Recipe 11.4 on checking the validity of a session; Chapter 1 on web.xml ; Chapter 7 of the Servlet v2.3 and 2.4 specifications on sessions; the session-tracking sections of Java Servlet Programming by Jason Hunter (O'Reilly) and JavaServer Pages by Hans Bergsten (O'Reilly).