Description of problem: The default-session-timeout from the web subsystem does not apply to applications that contain a <session-config> in their web.xml (even if no session timeout is set in the web.xml). The presence of the <session-config> results in the app having a SessionConfigMetaData with a default session timeout of 30 minutes that overrides the default-session-timeout set in the web subsystem. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Set a default-session-timeout: <subsystem xmlns="urn:jboss:domain:web:2.2" default-virtual-server="default-host" native="false" default-session-timeout="15"> 2. Deploy an app with the following in its web.xml (for example, the attached war): <session-config> <cookie-config> <http-only>true</http-only> </cookie-config> </session-config> 3. Check that the session timeout is 30 minutes instead of 15 (easily done by requesting the attached app's index.jsp) Actual results: default-session-timeout does not apply Expected results: default-session-timeout does apply Additional info: Note that default-session-timeout does apply in this case on EAP 7
Created attachment 1363253 [details] bz1521012.war
Regression tests passed Verified with EAP 6.4.20.CP.CR1