We can invalidate a Session by using the following 2 ways.

  1. by invalidate()
  2. by TimeOut mechanism
By invalidate()

HttpSession interface defines invalidate() To invalidate(expires) a session

public void invalidate()

Example:

When ever we click logout button internally this method will be executed.
HttpSession interface defines invalidate() method to expire a session explicitly
public void invalidate()

By Timeout mechanism

If we are not performing any operation on the Session object for a predefined amount of time,then automatically session will be expired.This pre defined amount of time is called session-time out.(Max inactive interval’s nothing but session time-out).

We can configure session time-out in the following ways

  1. Automatic support from web server(Default time out)
    Most of the web servers provide default support for session time out mostly it is 30 mins.
    We are allowed to change this default server level session time out based on our requirement.
  2. Configuring Session time-out at web-application level

    We can configure Session time out for entire web-application in web.xml as follows

    
    <web-app>
    <session-config>
    <session-timeout>10</session-timeout>
    </session-config>
    </web-app>
    

    <session-config>
    is the direct child tag of web-app and we can configure any where with in web-app

    The unit for <session-timeout>
    tag value is minutes. Zero (0) or -ve value indicates session never expires

    This type of configured session-timeout is applicable for all the sessions which are created as part of the application

  3. Configuring session time out for a particular session object:

    HttpSession interface defines the following method to set session time out for a particular session object

    public void setMaxInactiveInternal(int seconds)
    

    The argument is in seconds.
    0. value means session will expire immediately
    -ve value means session never expires

    This type of session timeout is applicable only for a particular session object on which we called this method.

Comparision between two session time-out mechanisms:

Property <session-timeout> setMaxInactiveInterval
scope It is applicable for all the sessions which are created in that web-application It is applicable only for a particular session object. on which we called this method
units mintus seconds
zero value Indicates session never expires Indicates session expires immediately
-ve value Indicates session never expires Indicates session never expires

Important methods of HttpSession:

  1. public boolean isNew()
    To check whether the session object is newly created or not
  2. public void invalidate()
    To expire a session explicitly.
  3. public void setMaxInactiveInternal(int seconds)
    To set session-timeout for a particular session object.
  4. public void getMaxInactiveInternal()
    To get session-timeout value
  5. public String getId()
    Returns the session id.
  6. public long getCreationTime()
    Returns the time when the session was created in milli seconds since jan 1 1970.
    If we are passing this long value to the Date constructor we will get exact date and time.
    Data a=new Date(long l)
  7. public void getLastAccessedTime()
    Returns the time when the client accessed session object recently in milli seconds
  8. public ServletContext getServletContext()
    Returns the ServletContext object to which session belongs

Note:Once session expires we are not allowed call these above methods violation leads to IllegalStateException.But these rule is not applicable for getServletContext() method.
Note: HttpSession interface defines the following methods to perform attribute management in same scope.

  1. public void setAttribute(String name,Object value)
  2. public Object getAttribute(String name)
  3. public Enumeration getAttributeNames()
  4. public void removeAttribute(String name)