What is the difference between session-timeout and max-age in web.xml?

Before explaining what they are be sure to understand a few things.

From your question it is clear you are already aware of the first but perhaps confused about the second item in the below list:

  • the two settings use different units: session-timeout is in minutes, whereas max-age is in seconds
  • they measure time in different ways: session-timeout measures time in a relative way, max-age measures time in an absolute way (explained further below)
  • they are taken into account and enforced by different software components. The session-timeout is taken into account by the container, whereas the max-age is taken into account and enforced by the user's browser. Equivalently, you may say that session-timeout applies to the server-side, whereas max-age applies to the client side.

session-timeout gives the maximum idle duration before the container decides to destroy the session object representing your "connection" in the server. This means that you may set the value of session-timeout to just 1 minute and still manage to keep the session object in the server forever as long as your browser sends HTTP GET, POST etc. messages to the server once every 59 seconds.

max-age is used by the user's browser to compute an absolute, fixed point in time, beyond which the session cookie (JSESSIONID in Java) will no longer be sent to the server. The browser computes this fixed point in time based on the time when the server sent the cookie to the browser (plus max-age). This is an absolute fixed point in time beyond which the cookie will no longer be sent to the server. As such, activity or inactivity on behalf of the user makes no difference. That's why if you examine the cookies in the developer console of your browser you see an absolute timestamp for the session cookie:

enter image description here


Caveat

An exception to the above description on the value of max-age denoting a fixed point in time, is if the specially interpreted value -1 is used. In such a case that's what you see in the developer console:

enter image description here

… and also as explained in this answer this means that the browser will keep sending the cookie for the duration of the "browser session". I am putting "browser session" in quotes to differentiate it from server-side sessions. How the concept of a session is understood by a browser (e.g. whether different tabs correspond to different sessions) is implementation-specific.

Given the different semantics of session-timeout and max-age, it follows that attempts to "align" the two values like the web.xml excerpt you provide in your question:

<session-config>
    <session-timeout>30</session-timeout> <!-- 30 minutes! -->
    <cookie-config>
        <http-only>true</http-only>
        <max-age>1800</max-age> <!-- 1800 seconds: 30 minutes! -->
    </cookie-config>
    <tracking-mode>COOKIE</tracking-mode>
</session-config>

… likely indicate confusion.

max-age provides a hard limit (unless the special value -1 is used), whereas session-timeout effectively provides no limit, as long as the user actively uses the session. This being said, I think it makes more sense that max-age is larger in value than session-timeout rather than the other way around.

Regarding the default and specially interpreted values (0 for the session-timeout and -1 for max-age) and whether you can configure those values for all cookies (as opposed to just the session cookie), these points are explained in this answer.


<session-timeout> is the maximum duration of unused session (from the time of the last request). When a session is not used (no request) for that amount of time, the server-side application kills the session (you can catch this event and implement your own behaviour ).

Session cookie max-age defines how long this cookie is stored in user browser.

To conculde, when a session cookie reaches his max-age, the session is forced to disconnect. In the other case, when a session is disconnected by session-timemout event, the session-cookie might still be present on user browser


Why do we even need this? Quoting the Servlet 3.0 specification:

In the HTTP protocol, there is no explicit termination signal when a client is no longer active. This means that the only mechanism that can be used to indicate when a client is no longer active is a time out period.

The web-commons schema really nails explaining it:

The session-timeout element defines the default session timeout interval for all sessions created in this web application. The specified timeout must be expressed in a whole number of minutes.

If the timeout is 0 or less, the container ensures the default behaviour of sessions is never to time out. If this element is not specified, the container must set its default timeout period.


The web-commons schema also got something for us about the max-age element:

The lifetime (in seconds) that will be assigned to any session tracking cookies created by this web application. Default is -1


And to answer your last question:

Also, is there any way to configure ALL cookies in web.xml? This seems to apply to session cookies only. Do I need a filter for such feature?

I don't think so. The easiest™ way to do so IMHO would be to subclass HttpServletResponseWrapper overriding the addCookie() method.


So to sum it up:

  • session-timeout configures how long the session will linger around consuming server resources, even when not being actively accessed.

  • max-age configures how long the client browser will keep the session cookie. This setting only applies to the lifetime of the cookie: it won't do a thing if you're using URL rewriting, and it has absolutely nothing to do with how long the sessions are kept at the server-side. The default, -1, keeps the cookie for as long as the browser session is active.


Useful links:

Servlet 3.1 JSR-340 specification page:
http://download.oracle.com/otndocs/jcp/servlet-3_1-fr-eval-spec/index.html

The web-commons XSD is available at:
http://www.oracle.com/webfolder/technetwork/jsc/xml/ns/javaee/web-common_3_0.xsd