My web app's web.xml defines session timeout as follows.
<session-config>
<session-timeout>1</session-timeout>
</session-config>
But when I check saved session cookie in chrome, it says
Expires: When the browsing session ends
What's the reason for this?
It's not the cookie which will timeout. It's the session stored on the application server. When you make a request after the timeout period has elapsed Tomcat will realise that the session has expired and take appropriate action.
If you start a new session you will get a new sessionId in your JSESSIONID cookie.