This week's book giveaway is in the OO, Patterns, UML and Refactoring forum.
We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line!
See this thread for details.
The moose likes Servlets and the fly likes Session Timeouts - Websphere Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

JavaRanch » Java Forums » Java » Servlets
Bookmark "Session Timeouts - Websphere" Watch "Session Timeouts - Websphere" New topic

Session Timeouts - Websphere

Krishna Govindarajan

Joined: May 22, 2006
Posts: 3
I have a requirement that the session has to timeout after 20 minutes of inactivity rather than websphere's default 30 minutes. I updated web.xml with the following info

What I observed is that the session timeout behaviour is erratic, i.e., the session does not timeout exactly after 20 minutes, but its always off by few minutes but less than the default 30 mins. Here is some data that I collected to demonstrate this behaviour

Last Activity: 11:10:20 12:59:5813:27:13
Timeout: 11:31:03 13:21:5513:51:05

As you can see the time difference is not exactly 20 minutes, but just a guarantee for 20 minutes. I tried setting the timeout using session.setMaxInactiveInterval() and the results is the same. Any idea on what I need to do to bring it to as close as possible to 20, if not exactly 20?

Thanks in advance,
Paul Clapham

Joined: Oct 14, 2005
Posts: 19727

In Websphere? You need to find the place where it says the task that inactivates sessions runs every 5 minutes (or whatever it says) and change that number to something else. I forget where it is, but if you work your way through all the options in the admin server you will eventually find it.

By the way, what is the business reason that makes it a good thing to inactivate a session after 20 minutes but a bad thing to inactivate a session after 21 minutes?
Krishna Govindarajan

Joined: May 22, 2006
Posts: 3
Thanks for the info. 20 minutes is a compliance requirement and its better to have it as close as possible to 20 and in one of my test case, it has varied by 3.5 minutes. I found the settings that you had mentioned here
Servers > Application Servers > server_name > Web Container > Session Management > Distributed Environment Settings > Custom Tuning Parameters and its set to 120 seconds, but that doesn't explain a difference of 3.5 minutes.
My other question regarding the above mentioned setting is that it (websphere admin) says that every 120 seconds the session will be written to the persistent store, but what happens if there is no need to persist a session?
[ May 22, 2006: Message edited by: Krishna Govindarajan ]
David O'Meara

Joined: Mar 06, 2001
Posts: 13459

The session IS actually expired, it just doesn't get cleaned on the server (and hence fire the session event) until one of two things occur:

1) The user attempts to access the expired session
2) a low level thread comes along and cleans up expired sessions.

Is this the behaviour you are seeing?
Krishna Govindarajan

Joined: May 22, 2006
Posts: 3
I tried changing Servers > Application Servers > server_name > Web Container > Session Management > Distributed Environment Settings > Custom Tuning Parameters to 10 seconds and it still doesn't solve my problem.
public void valueUnbound(HttpSessionBindingEvent event) is getting called in a very inconsistent manner - gets called at a random point of time as best explained by the sample timings that I had posted in my original posting. I do have a filter that looks for a value in the session and it doesn't seem to work as outlined by David. This particular value exists in the session until the valueUnbound() event is called.

I better explain, I set the session timeout to 3 minutes and I added some logger debugs. Here is a sample

2006-05-23 15:55:27,875 [Servlet.Engine.Transports : 0] DEBUG **********.filter.SecurityFilter - Session Timeout (session.getMaxInactiveInterval()): 180
2006-05-23 15:55:27,875 [Servlet.Engine.Transports : 0] DEBUG **********.filter.SecurityFilter - Session created at (new Date(session.getCreationTime())): Tue May 23 15:51:30 PDT 2006
2006-05-23 15:55:27,875 [Servlet.Engine.Transports : 0] DEBUG **********.filter.SecurityFilter - Session last accessed (new Date(session.getLastAccessedTime())): Tue May 23 15:55:27 PDT 2006

As you can see, the time difference between session last accessed and session created is more than 3 minutes.

[ May 24, 2006: Message edited by: Krishna Govindarajan ]
Arosti Nahas

Joined: Jul 06, 2008
Posts: 1
Hi Krishna!

I'm facing the same problem! Did you solved the problem?
I've a cluster environment with two nodes.
The problem is that the session, doesn't timeout exactly after 5 minutes.
When the requisition is on the first node, it works just fine but on the second node it never timeout.
The memory-to-memory replication is activated, and the session timeout configurations are made for both nodes to 10 minutes.

For the web.xml:


[ July 06, 2008: Message edited by: Arosti Nahas ]
Dallas Ingbrigtson

Joined: Oct 14, 2010
Posts: 1
This is an old post, but thought I would give a reply anyway. This is from an IBM redbook:

Note: For performance reasons, the session manager invalidation process
runs at regular intervals to invalidate any invalid sessions. This interval is
determined internally based on the Session timeout interval specified in the
Session manager properties. For the default timeout value of 30 minutes,
the invalidation process interval is around 300 seconds. In this case, it
could take up to 5 minutes (300 seconds) beyond the timeout threshold of
30 minutes for a particular session to become invalidated.

I agree. Here's the link:
subject: Session Timeouts - Websphere
It's not a secret anymore!