We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


No Session timeout occurs even if the timeout was specified

jufer asked
Medium Priority
Last Modified: 2013-12-10
I'm trying to find the error why we have no session timeout on our websphere 5.1 server.

Information about our Application & Server:
We using websphere 5.1 on sun solaris server (E4500) with 8GB Ram.
Our application is using java with struts 1.2, no EJB in any kind and an Oracle DB.
We have specified in the web.xml the timeout to 30 and I have checked this on the Admin console of Websphere (for our application) and it is 30.
But after an hour after enter the application (user/password) we still have our session with the data in it (role specific navigation still works, data still there...)

What I need to know is:
-how the session invalidate process works (exactly), what does websphere after an session should timeout.
-and what type of java code can avoid websphere to remove a session?

thanks for your help.
Watch Question


any help?

you can make you of HttpSession.getMaxInactiveInterval() and decide on session should expire or no.



Hi avinthm,
thank you for the links. My question is still open,
-how the session invalidate process works (exactly), what does websphere after an session should timeout.
-and what type of java code (or Websphere settings) can avoid websphere to remove a session?


When you make a call to invalidate() all objects bound to the session are unbound. The HttpSession object and the data values it contains are removed from the memory. Hence you can tell that Session has expired.

Timeout can be overridden for a specific session by calling HttpSession.setMaxInactiveInterval(int secs) - negative value indicates session should never time out.

WebSphere Application Server destroys the allocated HttpSession when it expires (default = 1800 seconds or 30 minutes). The WebSphere Application Server maintains a certain number of HTTP sessions in memory based on Session Management settings. When maximum cache limit is reached in memory, the Session Management facility removes the least recently used (LRU) one from cache to make room for a session.


Hi avinthm,
Well thats the default behaviour what we can expect from any Webserver, isn't it?
When the maximum cache limit is reached in memory, does it make some session persisten on the disk (if timeout was not reached), and where?
I need mooooore information to find our bug/solve our problem.


Another thing about how websphere makes a session timeout....
when does it call the garbagecollector and what strategy does it have (webspher on solaris)

you need to cofigure at web.xml, for WAS will be at the admin console.

Example (add after servlet-mapping tag):



The default timeout for WebSphere Application Server (WAS) is 30 minutes, meaning that if your user doesn't make a request within that length of time, the session closes.

Session Timeout:

As its name implies, the Session Timeout parameter specifies how long an unused session exists before it times out and is removed from the memory table for local sessions or the cache for distributed sessions. This setting is an important one from a performance perspective because of the memory impact that unused sessions can have on the application server JVM until they are removed. In the same vein, specifying "No Timeout" can result in a memory leak since the session objects are never eligible for garbage collection by the JVM, unless the application explicitly calls        "session.invalidate()" .        As a result, No Timeout is generally not recommended, though it might be appropriate for a small percentage of applications where the user population is very small and stable. In order to minimize the memory impact of session objects, this setting should be set as low as practical in order to satisfy application requirements and use patterns. For applications with a large number of short-lived visits of perhaps a few minutes, a timeout of 5–10 minutes would likely be appropriate. Some web sites even provide a timer to show when the current session will expire and a logout function that invalidates the session.

i hope it may help you

i got some info regarding persisting sessions.


Hav a look at the following topic

Managing HTTP sessions
Session Management Support
Base in-memory session pool size
Best practices for using HTTP Sessions

This from above link.............

To use manual update, turn it on in the session management Service. (See the tables above for location information.) Additionally, the application code must use the com.ibm.websphere.servlet.session.IBMSession class instead of the generic HttpSession. Within the IBMSession object there is a method called sync(). This method tells the WebSphere Application Server to write the data in the session object to the database. This activity helps the developer to improve overall performance by having the session information persist only when necessary.

Note: An alternative to using the manual updates is to utilize the timed updates to persist data at different time intervals. This action provides similar results as the manual update scheme.

Implement the following suggestions to achieve high performance:
If your applications do not change the session data frequently, use Manual Update and the sync() function (or timed interval update) to efficiently persist session information.
Keep the amount of data stored in the session as small as possible. With the ease of using sessions to hold data, sometimes too much data is stored in the session objects. Determine a proper balance of data storage and performance to effectively use sessions.
Verify that you have the latest fix packs for the WebSphere Application Server.
Utilize the following tools to help monitor session performance.
Run the com.ibm.servlet.personalization.sessiontracking.IBMTrackerDebug servlet. - To run this servlet, you must have the servlet invoker running in the Web application you want to run this from. Or, you can explicitly configure this servlet in the application you want to run.
Use the WebSphere Application Server Resource Analyzer which comes with WebSphere Application Server to monitor active sessions and statistics for the WebSphere Application Server environment.
Use database tracking tools such as "Monitoring" in DB2. (See the respective documentation for the database system used.)

I didnt find any document saying that server stores the sessions externally in case of "cache has reached the max limit".

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


Hi avinthm,
thank you for helping....
I had also following information from IBM (support call).
-Our session times out after 30min. It will not be removed if the flag in the console is set (Sorry, german console so I don't know the excact naming...) 'access after timeout'. This flag allows websphere to remove a collection of old session, because removing uses lot of cpu power.
If the flag is not set, it will remove it after the timeout. There is another flag, which will allow users that returns after a timeout (but not removed session) to work further on within the same session.
Well this solves my problem and lack of knowledge...
thank you.
gabriel jufer

wel come :)
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.