Caucho maker of Resin Server | Application Server (Java EE Certified) and Web Server


Resin Documentation

home company docs 
app server 
 Resin Server | Application Server (Java EE Certified) and Web Server

session tags

Resin adds a number of additions to the standard session-config tag.


child of <session-config>

<cookie-domain> configures the host domain to use for sessions, i.e. value of the Domain cookie attributes.

By default, browsers only send cookies back to the exact host which sent them. In some virtual host cases, it makes sense to share the same cookie value for multiple virtual hosts in the same domain. For example, might want a single cookie to be used for both and In this case the cookie-domain would be set to

cookie-domain for
<resin xmlns="">
<cluster id="app-tier">

  <host id="">


      <session-config cookie-domain=""/>




child of <session-config>

<cookie-length> sets the length of the generated cookie value. In some rare cases, the cookie-length might need to be shortened or the cookie-length might be extended to add randomness to the cookie value. For the most part, this value should be left alone.

default 14


child of <session-config>

<cookie-max-age> sets how long the browser should keep the session cookie.

By default, browsers keep cookies as long as they are open. When the browser is restarted, the cookies are dropped. cookie-max-age tells the browser to keep the cookie for a certain time period. Applications can make this time "infinite" by setting a large number.


<cookie-version> sets the version of the cookie spec for sessions.

default 1.0


child of <session-config>

<ignore-serialization-errors> is used with persistent sessions in certain rare cases where some session data is serializable and other data is not serializable. <ignore-serialization-errors> simply skips session values which do not implement when serializing the session.

default false


Session configuration parameters.

Servlet 2.4 definition for session-timeout
session-timeoutThe session timeout in minutes, 0 means never timeout.30 minutes

Resin adds a number of session-config tags.

Resin extensions to session-config
always-load-sessionReload data from the store on every request. (resin 1.2)false
always-save-sessionSave session data to the store on every request. (resin 1.2)false
cookie-versionVersion of the cookie spec for sessions. (resin 1.2)1.0
cookie-domainDomain for session cookies. (resin 1.2)none
cookie-max-ageMax age for persistent session cookies. (resin 2.0)none
cookie-lengthMaximum length of the cookie. (resin 2.1.1)Integer.MAX_VALUE
enable-cookiesEnable cookies for sessions. (resin 1.1)true
enable-url-rewritingEnable URL rewriting for sessions. (resin 1.1)true
ignore-serialization-errorsWhen persisting a session, ignore any values which don't implement
invalidate-after-listenerInvalidate the session after notifying session listeners.false
reuse-session-idReuse the session id even if the session has timed out. (resin 2.0.4)true
save-only-on-shutdownOnly save session when the application shuts down. (resin 1.2.3)false
ssl-cookie-nameSet a different cookie name to use for SSL connections, and add the "secure" flag when setting the cookie in the browser.
session-maxMaximum active sessions4096
use-persistent-storeUses the current persistent-store to save sessions. (resin 3.0.8)none

By default, both enable-cookies and enable-url-rewriting are true. To force url rewriting, you would create a configuration like:

<web-app id='/'>



The session-timeout and session-max are usually used together to control the number of sessions. Sessions are stored in an LRU cache. When the number of sessions in the cache fills up past session-max, the oldest sessions are recovered. In addition, sessions idle for longer than session-timeout are purged.

using session-config and session-timeout to control the number of sessions
<web-app id='/dir'>

     <!-- 2 hour timeout -->


cookie-length is used to limit the maximum length for the session's generated cookie for special situations like WAP devices. Reducing this value reduces the randomness in the cookie and increases the chance of session collisions.

reuse-session-id defaults to true so that Resin can share the session id amongst different web-apps.

The class that corresponds to <session-config> is


child of <session-config>

<session-max> sets the maximum number of sessions stored in memory for a particular <web-app>. The total number of persisted sessions may be larger.

default 4096


child of <session-config>

<save-mode> configures when Resin should save a persistence session during a request. The values are:

after-requestSave the session after the request has been served and completed
before-headersSave the session before sending headers to the browser
on-shutdownOnly save the session when Resin is shutting down

In some situations, like redirects, a fast browser can send a request back to Resin before the session is persisted with the after-request save-mode. If the server is configured without sticky sessions, the load balancer might send the request to a different server, which may not get the updated session. In the situation, either the save-mode should be changed to before-headers or sticky sessions should be enabled.

If the save-mode is before-headers, the application should take care to make any session changes before sending data to the browser.

default after-request


child of <session-config>

<session-timeout> sets how long a <web-app> should keep an idle session before invalidating it. The value is specified in minutes.

default 30min

Copyright © 1998-2015 Caucho Technology, Inc. All rights reserved. Resin ® is a registered trademark. Quercustm, and Hessiantm are trademarks of Caucho Technology.

Cloud-optimized Resin Server is a Java EE certified Java Application Server, and Web Server, and Distributed Cache Server (Memcached).
Leading companies worldwide with demand for reliability and high performance web applications including, CNET, DZone and many more are powered by Resin.

home company docs 
app server