Menu Search Me

Tomcat Session Cookie jsessionid Configuration

Created by info on 2014-08-28

Tomcat-based web application relies on session cookie jsessionid to manage the session between web browser and web server. To secure the tomcat session cookie jsessionid, edit /home/testuser/tomcat/apache-tomcat-7.0.26.hsl/conf/web.xml file as follows:

    <session-config>
        <session-timeout>30</session-timeout>
        <cookie-config>
         <http-only>true</http-only>
         <secure>true</secure>
        </cookie-config>
    </session-config>

Note: the session-timeout value is in minutes. However, when you use Java method getMaxInactiveInterval() to return this value, or the Java method setmaxInactiveInterval() to set this value, the timeout value is in seconds!!!