The session-config Element

The allowed child elements include session-timeout and max-desktops-per-session. You might have multiple session-config elements in one zk.xml.

<session-config>
    <session-timeout>1800</session-timeout>    
    <timer-keep-alive>false</timer-keep-alive>    
    <max-desktops-per-session>15</max-desktops-per-session>    
    <max-requests-per-session>5</max-requests-per-session>    
</session-config>

The session-timeout Element

[Default: 0 (depending on the Web server)]

It specifies the time, in seconds, between client requests before a session is invalidated. A negative time indicates the session should never timeout. The default zero means to use the system default (which is usually specified in web.xml).

The timer-keep-alive Element

[Default: false]

It specifies whether to keep the session alive, when receiving the onTimer event.

A session is considered as timeout (and then invalidated), if it doesn't receive any client request in the specified timeout interval (see the session-timeout element above).

By setting this option to true, the onTimer event, just like any other events, will reset the session timeout counter (and then keep the session alive until timeout). Notice that, if this option is false and the timer is shorter than the session timeout, the session won't be expired.

By default, this option is false. It means the onTimer event is ignored when handling the session timeout. In other words, the session will expire if no other event is received before timeout.

The max-desktops-per-session Element

[Default: 15]

It specifies the maximal allowed number of desktops per session. A desktop represents a HTML page for a browser. In other words, this number controls the number of concurrent browser windows allowed per session.

A negative number means no limitation at all.

Note: If you use org.zkoss.zk.ui.impl.GlobalDesktopCacheProvider, then you have to make this number much larger since it means the maximal allowed number of deskoper per system.

The max-requests-per-session Element

[Default: 5]

It specifies the maximal allowed number of concurrent requests per session. Each time an user types an URL at the browser, it creates a request and the request ends after the response is sent to the browser. In other words, this number controls how many concurrent requests the same user can send.

A negative number means no limitation at all, but it is not recommended due to the possibility of the denial-of-service (DoS) attacks.