session timeout 0: possible memory leak?

Question

Is it good practise to set the session-timeout in web.xml to 0?

Isn't it possible memory leak if user just close the browser without logout?

I've tried to analyze memory heap using MAT, but I didn't found anything regarding session container, but I'm still not sure

Answer 1

IMHO it is a bad practice.

i think this isn't a memory 'leak' in strict meaning, but may lead to memory saturation.

however this will happen if you have

• a small amount of memory
• heavy session objects
• many users
• container that does not serialize sessions

but if one or more of these conditions are not met, preserving sessions should not be a problem, on memory profile.

i think the worst issue is, instead, on security profile.

session stealing techniques are very effective in this scenario: an attacker can use a stolen session days after the theft.