Session timout=0 behavior unclear or incorrect

Thanks for the quick investigation and resolution, the updated docs seem clear to me.

Updated docs to refect the actual behavior.

The cacheAllowance ends up overriding the lifetime instead of being added to it, which was not what I remembered the code doing, so that's where I would say arguably "it's a bug" but it's the sort of bug that if it got fixed would create a confusing change in behavior across different versions and just end up causing more problems. So rather than change it, I'd prefer to just document the behavior, so mea culpa and you were 100% correct.

I updated both timeout and cacheAllowance docs to better reflect what it actually does.

Normally when timeout is set, this isn't noticeably weird, but you are correct that it is noticeable when it's zero. cacheAllowance doesn't get added to lifetime but replaces it, so you either have to set it high enough to match, or leave it at 0 also.

If you set cacheAllowance, however, to a really high number, it will result in more sessions hanging around in memory, but any attempt to use a session that's past its lifetime still breaks, that's a separate check regardless of whether the record is still available. So it's effectively usable as an upper bound on lifetime but practically speaking, setting timeout to zero in most cases would be accompanied by setting cacheAllowance to zero.

Thanks for the quick response. I'm still confused by "timeouts are imposed by applying a secondary check against the last-time-used of the session. Using zero does what it says, it bypasses that check." Does that mean that sessions should remain valid for the entire lifetime in that case? I mentioned cacheAllowance since with lifetime=86400, timeout=0, and cacheAllowance=3600, I was observing sessions expiring after one hour. Changing timeout to 86400 seems to give me the expected behavior of sessions lasting 24 hours.

Thanks, Kevin

Docs aside, I suspect what you would be seeking is best met by setting cacheAllowance to zero.