Link to home
Create AccountLog in
Avatar of jufer
jufer

asked on

No Session timeout occurs even if the timeout was specified

Hi,
I'm trying to find the error why we have no session timeout on our websphere 5.1 server.

Information about our Application & Server:
We using websphere 5.1 on sun solaris server (E4500) with 8GB Ram.
Our application is using java with struts 1.2, no EJB in any kind and an Oracle DB.
We have specified in the web.xml the timeout to 30 and I have checked this on the Admin console of Websphere (for our application) and it is 30.
But after an hour after enter the application (user/password) we still have our session with the data in it (role specific navigation still works, data still there...)

What I need to know is:
-how the session invalidate process works (exactly), what does websphere after an session should timeout.
-and what type of java code can avoid websphere to remove a session?

thanks for your help.
gabriel
Avatar of jufer
jufer

ASKER

any help?
you can make you of HttpSession.getMaxInactiveInterval() and decide on session should expire or no.

https://www.experts-exchange.com/questions/10351616/session-timeout.html
Avatar of jufer

ASKER

Hi avinthm,
thank you for the links. My question is still open,
-how the session invalidate process works (exactly), what does websphere after an session should timeout.
-and what type of java code (or Websphere settings) can avoid websphere to remove a session?

thanks
gabriel
When you make a call to invalidate() all objects bound to the session are unbound. The HttpSession object and the data values it contains are removed from the memory. Hence you can tell that Session has expired.

Timeout can be overridden for a specific session by calling HttpSession.setMaxInactiveInterval(int secs) - negative value indicates session should never time out.

WebSphere Application Server destroys the allocated HttpSession when it expires (default = 1800 seconds or 30 minutes). The WebSphere Application Server maintains a certain number of HTTP sessions in memory based on Session Management settings. When maximum cache limit is reached in memory, the Session Management facility removes the least recently used (LRU) one from cache to make room for a session.
Avatar of jufer

ASKER

Hi avinthm,
Well thats the default behaviour what we can expect from any Webserver, isn't it?
When the maximum cache limit is reached in memory, does it make some session persisten on the disk (if timeout was not reached), and where?
I need mooooore information to find our bug/solve our problem.
thanks
gabriel
Avatar of jufer

ASKER

Another thing about how websphere makes a session timeout....
when does it call the garbagecollector and what strategy does it have (webspher on solaris)
thanks
Hi,

you need to cofigure at web.xml, for WAS will be at the admin console.

Example (add after servlet-mapping tag):
web.xml
----------------------------------------
    ...
    </servlet-mapping>

    <session-config>
      <session-timeout>30</session-timeout>
    </session-config>

</web-app>

The default timeout for WebSphere Application Server (WAS) is 30 minutes, meaning that if your user doesn't make a request within that length of time, the session closes.

Session Timeout:

As its name implies, the Session Timeout parameter specifies how long an unused session exists before it times out and is removed from the memory table for local sessions or the cache for distributed sessions. This setting is an important one from a performance perspective because of the memory impact that unused sessions can have on the application server JVM until they are removed. In the same vein, specifying "No Timeout" can result in a memory leak since the session objects are never eligible for garbage collection by the JVM, unless the application explicitly calls        "session.invalidate()" .        As a result, No Timeout is generally not recommended, though it might be appropriate for a small percentage of applications where the user population is very small and stable. In order to minimize the memory impact of session objects, this setting should be set as low as practical in order to satisfy application requirements and use patterns. For applications with a large number of short-lived visits of perhaps a few minutes, a timeout of 5–10 minutes would likely be appropriate. Some web sites even provide a timer to show when the current session will expire and a logout function that invalidates the session.

i hope it may help you

R.K
ASKER CERTIFIED SOLUTION
Avatar of avinthm
avinthm

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of jufer

ASKER

Hi avinthm,
thank you for helping....
I had also following information from IBM (support call).
-Our session times out after 30min. It will not be removed if the flag in the console is set (Sorry, german console so I don't know the excact naming...) 'access after timeout'. This flag allows websphere to remove a collection of old session, because removing uses lot of cpu power.
If the flag is not set, it will remove it after the timeout. There is another flag, which will allow users that returns after a timeout (but not removed session) to work further on within the same session.
Well this solves my problem and lack of knowledge...
thank you.
gabriel jufer
wel come :)