Hi Deepak By the time sessionCreated is called in an HttpSessionListener, the session has already been created. I am sure if you try to get the HttpSession from the HttpSessionEvent object, it will have what you defined in <session-timeout> tag.
But the code is overriding the timeout using setMaxInactiveInterval to 1 hour that is why it is looking like web.xml is not being given precedence over programmatic session configuration. Whether web.xml takes precedence over annotation does not apply in this case because anyway the session timeout value is being overridden by the code. The tomcat container definitely reads session-timeout from web.xml and assigns timeout for the session accordingly. But since a listener is configured for session lifecycle management, it invokes the method and there the session value is being overridden. Try to set 2 minutes session timeout in web.xml and remove session.setMaxInactiveInterval(60*60). I would say you will be logged out after 2 minutes. If that is not the case, pl let me know. I hope I understood your question and problem correctly. Best, Girish On Wed, Jan 9, 2019 at 1:53 PM Deepak Nigam <deepak.nigam1...@gmail.com> wrote: > Thanks, Jacques. > > Apart from the hardcoded thing, I am not able to override the session > timeout value using <session-timeout> tag in web.xml. > > On Tue, Jan 8, 2019 at 1:55 PM Jacques Le Roux < > jacques.le.r...@les7arts.com> > wrote: > > > Hi Deepak, > > > > You are right, it's hardcoded and should not. I have no time to go > further > > at the moment, but I'll ASAP > > > > Thanks > > > > Jacques > > > > Le 08/01/2019 à 06:10, Deepak Nigam a écrit : > > > Hello all, > > > > > > I tried to set the session timeout for the 'ecommerce' and the > > > 'webtools' components using <session-config> of web.xml, but unable to > do > > > so. Session for the logged-in user remains active even after the set > > time. > > > > > > On further research, I found that we did some changes in this area in > the > > > ticket OFBIZ-6655 <https://issues.apache.org/jira/browse/OFBIZ-6655>. > We > > > have hard coded the session timeout (1 hr) in the sessionCreated() > method > > > of ControlEventListner class. As per the comments in the Jira ticket, > > > session timeout declarations in web.xml have been removed by the use > > > of @WebListner annotation. This is to avoid duplicates things > everywhere > > in > > > web.xml files. Since the web.xml files have precedence on annotations, > > the > > > setting can be easily overridden when necessary. > > > > > > But the @WebListner is missing in the ControlEventListner class. Also, > I > > am > > > unable to override the session timeout in web.xml even after putting > the > > > @WebListner annotation in ControlEventListner class. > > > > > > Please let me know if this is a real issue or I am doing something > wrong? > > > > > > Thanks & Regards > > > -- > > > Deepak Nigam > > > HotWax Systems Pvt. Ltd. > > > > > >
