Hello, We have recently upgraded our tomcats to Tomcat7 in order to gain the new exposure to the configuration of the session cookie, namely the max age property. I had tried reading posts about getting it to work with tomcat6 but writing multiple cookies to the request caused problems for quite a few of our end users.
We tried to set the cookie max age to 3 hours, the exact same time as our session timeout. However, I was extremely surprised that the session cookie didn't get updated on every request. The cookie max age was set when the session was created and that was it. The end result is that our users who stay signed on for longer than 3 hours now appear to get logged out. I'm curious about this functionality - why was the decision made to not update the session cookie if a max age is set? We can effectively get what we want by setting the max age to 24 hours, but that seems like the wrong solution. Any help on the matter is greatly appreciated. Joshua Simmons