No Session timeout occurs even if the timeout was specified

I'm trying to find the error why we have no session timeout on our websphere 5.1 server.

Information about our Application & Server:
We using websphere 5.1 on sun solaris server (E4500) with 8GB Ram.
Our application is using java with struts 1.2, no EJB in any kind and an Oracle DB.
We have specified in the web.xml the timeout to 30 and I have checked this on the Admin console of Websphere (for our application) and it is 30.
But after an hour after enter the application (user/password) we still have our session with the data in it (role specific navigation still works, data still there...)

What I need to know is:
-how the session invalidate process works (exactly), what does websphere after an session should timeout.
-and what type of java code can avoid websphere to remove a session?

thanks for your help.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

juferAuthor Commented:
any help?
you can make you of HttpSession.getMaxInactiveInterval() and decide on session should expire or no.
CompTIA Network+

Prepare for the CompTIA Network+ exam by learning how to troubleshoot, configure, and manage both wired and wireless networks.

juferAuthor Commented:
Hi avinthm,
thank you for the links. My question is still open,
-how the session invalidate process works (exactly), what does websphere after an session should timeout.
-and what type of java code (or Websphere settings) can avoid websphere to remove a session?

When you make a call to invalidate() all objects bound to the session are unbound. The HttpSession object and the data values it contains are removed from the memory. Hence you can tell that Session has expired.

Timeout can be overridden for a specific session by calling HttpSession.setMaxInactiveInterval(int secs) - negative value indicates session should never time out.

WebSphere Application Server destroys the allocated HttpSession when it expires (default = 1800 seconds or 30 minutes). The WebSphere Application Server maintains a certain number of HTTP sessions in memory based on Session Management settings. When maximum cache limit is reached in memory, the Session Management facility removes the least recently used (LRU) one from cache to make room for a session.
juferAuthor Commented:
Hi avinthm,
Well thats the default behaviour what we can expect from any Webserver, isn't it?
When the maximum cache limit is reached in memory, does it make some session persisten on the disk (if timeout was not reached), and where?
I need mooooore information to find our bug/solve our problem.
juferAuthor Commented:
Another thing about how websphere makes a session timeout....
when does it call the garbagecollector and what strategy does it have (webspher on solaris)

you need to cofigure at web.xml, for WAS will be at the admin console.

Example (add after servlet-mapping tag):



The default timeout for WebSphere Application Server (WAS) is 30 minutes, meaning that if your user doesn't make a request within that length of time, the session closes.

Session Timeout:

As its name implies, the Session Timeout parameter specifies how long an unused session exists before it times out and is removed from the memory table for local sessions or the cache for distributed sessions. This setting is an important one from a performance perspective because of the memory impact that unused sessions can have on the application server JVM until they are removed. In the same vein, specifying "No Timeout" can result in a memory leak since the session objects are never eligible for garbage collection by the JVM, unless the application explicitly calls        "session.invalidate()" .        As a result, No Timeout is generally not recommended, though it might be appropriate for a small percentage of applications where the user population is very small and stable. In order to minimize the memory impact of session objects, this setting should be set as low as practical in order to satisfy application requirements and use patterns. For applications with a large number of short-lived visits of perhaps a few minutes, a timeout of 5–10 minutes would likely be appropriate. Some web sites even provide a timer to show when the current session will expire and a logout function that invalidates the session.

i hope it may help you

i got some info regarding persisting sessions.

Hav a look at the following topic

Managing HTTP sessions
Session Management Support
Base in-memory session pool size
Best practices for using HTTP Sessions

This from above link.............

To use manual update, turn it on in the session management Service. (See the tables above for location information.) Additionally, the application code must use the class instead of the generic HttpSession. Within the IBMSession object there is a method called sync(). This method tells the WebSphere Application Server to write the data in the session object to the database. This activity helps the developer to improve overall performance by having the session information persist only when necessary.

Note: An alternative to using the manual updates is to utilize the timed updates to persist data at different time intervals. This action provides similar results as the manual update scheme.

Implement the following suggestions to achieve high performance:
If your applications do not change the session data frequently, use Manual Update and the sync() function (or timed interval update) to efficiently persist session information.
Keep the amount of data stored in the session as small as possible. With the ease of using sessions to hold data, sometimes too much data is stored in the session objects. Determine a proper balance of data storage and performance to effectively use sessions.
Verify that you have the latest fix packs for the WebSphere Application Server.
Utilize the following tools to help monitor session performance.
Run the servlet. - To run this servlet, you must have the servlet invoker running in the Web application you want to run this from. Or, you can explicitly configure this servlet in the application you want to run.
Use the WebSphere Application Server Resource Analyzer which comes with WebSphere Application Server to monitor active sessions and statistics for the WebSphere Application Server environment.
Use database tracking tools such as "Monitoring" in DB2. (See the respective documentation for the database system used.)

I didnt find any document saying that server stores the sessions externally in case of "cache has reached the max limit".

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
juferAuthor Commented:
Hi avinthm,
thank you for helping....
I had also following information from IBM (support call).
-Our session times out after 30min. It will not be removed if the flag in the console is set (Sorry, german console so I don't know the excact naming...) 'access after timeout'. This flag allows websphere to remove a collection of old session, because removing uses lot of cpu power.
If the flag is not set, it will remove it after the timeout. There is another flag, which will allow users that returns after a timeout (but not removed session) to work further on within the same session.
Well this solves my problem and lack of knowledge...
thank you.
gabriel jufer
wel come :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Java App Servers

From novice to tech pro — start learning today.