We are running 7.0.69 and Java 1.8.0_91.
We ran into an incident at a customer where the customer had set
session-timeout to 0 - which according to the servlet 3.0 spec, the session
should never time out. However, the customer was basically seeing the session
timeout immediately. When we changed session-timeout to a larger number (30)
and restarted, the problem immediately went away.
It looks like setMaxInactiveInterval _may_ be using the value of
session-timeout if it is not explicitly set, and if so, is not handling the
session-timeout = 0 case specially. It also looks like maxInactiveInterval is
really controlling the lifetime of the session. But I have also not been
through the Tomcat code often, so I am not 100% sure I'm looking in the right
spot.
Has anyone seen this issue before? Am I misinterpreting something?
Thanks,
Mark