How close is the actual session timeout period to the specified timeout period?

Avi Kak

During some development work recently, I became curious as to how close the actual session timeout period was to the specified timeout period. Much to my surprise, I discovered a wide discrepancy between the two for the case when the specified timeout periods are short. I have not done experiments for the case when the specified timeout periods are long. I'd expect that for the case of long timeout periods, the two -- the specified and the actual -- would be in fairly close agreement.

I show below some empirical data obtained for four different values of the specified timeout periods: 10, 20, 60, and 120 seconds. For each case, I ran five trials. Each trial consisted of hitting the reload button of the client browser after the session had already timed out from the previous reload.

all times are in seconds
Specified session timeout period Actual session timeout period for the server running on a Windows NT machine Actual session timeout period for the server running on a Solaris 5.6 machine
10 24 32
  53 53
  53 47
  44 48
  45 50
20 54 39
  44 51
  45 40
  25 22
  49 52
60 105 93
  97 114
  100 110
  113 109
  101 110
120 131 161
  170 146
  169 135
  165 137
  147 146

These results were obtained with Tomcat 3.1 as a stand-alone web server for both Windows NT and Solaris. The browser used was Netscape 4.73.

Shown below is a servlet, TestSessionTimeout, that I used for measuring the actual session timeout periods. For those new to servlets, the following comments should prove useful for understanding this servlet:

  • Assuming that a session was not previously created, the method
         HttpSession session =  HttpServletRequest.getSession( true );
    creates a new session between a client and a server.
  • The timeout period of this session can be specified by invoking
           session.setMaxInactiveInterval( int interval );
    The timeout period of a session is the maximum permissible time in seconds between successive client accesses. If a client request is not received within the specified timeout period, the session is invalidated and objects bound to it are unbound.
  • If an object wishes to receive notification of when it is bound to or unbound from a session, the object must implement the HttpSessionBindingListener interface.
The servlet shown below uses a SessionTimer class that implements the HttpSessionBindingListener interface. When a session times out, the SessionTimer object, timer, is notified of that fact. It then proceeds to calculate the time difference between the creation time instant of the session and the time when the session becomes invalidated.

import java.io.*;
import java.util.*;
import javax.servlet.*;
import javax.servlet.http.*;

public class TestSessionTimeout extends HttpServlet {

  private static final String TIMER_KEY = "session.timer";

  public void doGet (HttpServletRequest request, HttpServletResponse response)
         throws ServletException, IOException 
    HttpSession session = request.getSession(true);
    session.setMaxInactiveInterval( 120 );      
    SessionTimer timer = (SessionTimer) session.getAttribute( TIMER_KEY );

    if ( timer == null ) {
      timer = new SessionTimer( session.getCreationTime() );
      session.setAttribute( TIMER_KEY, timer );

// Generate Output
    PrintWriter out = response.getWriter();
    out.println("<html>" +
      "<head><title>Session Information</title></head>" +
      "<body bgcolor="#FFFFFF">" +
      "<h1>Session Information</h1><table>");
    out.println ("<tr><td>Identifier</td>");
    out.println ("<td>" + session.getId() + "</td></tr>");
    out.println ("<tr><td>Created</td>");
    out.println ("<td>" + new Date(session.getCreationTime()) + "</td></tr>");
    out.println ("<tr><td>Last Accessed</td>");
    out.println ("<td>" + new Date(session.getLastAccessedTime()) + "</td></tr>");
    out.println ("<tr><td>New Session?</td>");
    out.println ("<td>" + session.isNew() + "</td></tr>");
    Enumeration names = session.getAttributeNames();
    while ( names.hasMoreElements() ) {
      String name = (String) names.nextElement();
      out.println ("<tr><td>" + name + "</td>");
      out.println ("<td>" + session.getAttribute(name) + "</td></tr>");

class SessionTimer implements HttpSessionBindingListener {

  private long createTime;

  public SessionTimer( long ctime ) 
    createTime = ctime;

  public void valueBound( HttpSessionBindingEvent event ) {}

  public void valueUnbound( HttpSessionBindingEvent event ) 
    try {
      long diffTimeInSecs = ( System.currentTimeMillis() - createTime ) / 1000;
      System.out.println( "The session duration in seconds: " + diffTimeInSecs );
    } catch( SecurityException e ) {}