A session timeout can be configured in an application.cfc
file or a<cfapplication>
tag in an application.cfm
file with the sessionTimeout
parameter. For example, in an application.cfm
file, use:
<cfapplication name = ""SampleApplication"" sessionmanagement = ""Yes"" sessiontimeout = ""#CreateTimeSpan(0,0,30,0)#"""">
Session timeouts can also be defined on the ColdFusion server under Server Settings > Memory Variables.
The session-timeout parameter in the cf_root/WEB-INF/web.xml
file establishes the maximum J2EE session timeout. This setting should always be greater than or equal to ColdFusion's Maximum Session Timeout value.
The SESSION_COOKIE_AGE
setting can be used to set an absolute timeout. There is also a SESSION_EXPIRE_AT_BROWSER_CLOSE
setting that you can set to have the session cookie expire when the user closes the browser. To keep a user logged in if they are active, set theSESSION
_SAVE_EVERY_REQUEST
setting to True.
In J2EE the idle timeout configurations can be made in web.xml:
<session-config> <session-timeout>60</session-timeout> </session-config>
In J2EE absolute time-out may or may not be configurable. If not, useHttpSession.getCreationTime()
to assist your custom logic.
There are a number of settings in the php.ini
file that affect session behavior, including the maximum lifetime before garbage collection:
session.gc_maxlifetime = 1440