I have a requirement, when an user is authenticated into a session, and after 10 minutes of inactivity, the session times out. Once the session timed out, any further requests are expired, the request is redirected to a timed out page. I have researched in this regard and came to 2 different approaches.
Approach #1:
In web.xml I have the code mentioned below...
<session-config><session-timeout>10</session-timeout></session-config>Approach #2:
I have the code mentioned below inside the authenticated page...
response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.response.setHeader("Pragma", "no-cache"); // HTTP 1.0.response.setDateHeader("Expires", 0); // Proxies.request.getSession().setMaxInactiveInterval(600);Now, my questions are:
What is the difference between these two approaches? Which one is better or recommended?
And also, when using approach #2, if the end user navigates away from the authenticated page, but has not logged out, does the session still times out after 10 mins of inactivity?