This week's book giveaway is in the OO, Patterns, UML and Refactoring forum. We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line! See this thread for details.
I have a requirement that the session has to timeout after 20 minutes of inactivity rather than websphere's default 30 minutes. I updated web.xml with the following info <session-config> <session-timeout>20</session-timeout> </session-config>
What I observed is that the session timeout behaviour is erratic, i.e., the session does not timeout exactly after 20 minutes, but its always off by few minutes but less than the default 30 mins. Here is some data that I collected to demonstrate this behaviour
Last Activity: 11:10:20 12:59:5813:27:13 Timeout: 11:31:03 13:21:5513:51:05
As you can see the time difference is not exactly 20 minutes, but just a guarantee for 20 minutes. I tried setting the timeout using session.setMaxInactiveInterval() and the results is the same. Any idea on what I need to do to bring it to as close as possible to 20, if not exactly 20?
In Websphere? You need to find the place where it says the task that inactivates sessions runs every 5 minutes (or whatever it says) and change that number to something else. I forget where it is, but if you work your way through all the options in the admin server you will eventually find it.
By the way, what is the business reason that makes it a good thing to inactivate a session after 20 minutes but a bad thing to inactivate a session after 21 minutes?
Joined: May 22, 2006
Thanks for the info. 20 minutes is a compliance requirement and its better to have it as close as possible to 20 and in one of my test case, it has varied by 3.5 minutes. I found the settings that you had mentioned here Servers > Application Servers > server_name > Web Container > Session Management > Distributed Environment Settings > Custom Tuning Parameters and its set to 120 seconds, but that doesn't explain a difference of 3.5 minutes. My other question regarding the above mentioned setting is that it (websphere admin) says that every 120 seconds the session will be written to the persistent store, but what happens if there is no need to persist a session? Thanks. [ May 22, 2006: Message edited by: Krishna Govindarajan ]
The session IS actually expired, it just doesn't get cleaned on the server (and hence fire the session event) until one of two things occur:
1) The user attempts to access the expired session 2) a low level thread comes along and cleans up expired sessions.
Is this the behaviour you are seeing?
Joined: May 22, 2006
I tried changing Servers > Application Servers > server_name > Web Container > Session Management > Distributed Environment Settings > Custom Tuning Parameters to 10 seconds and it still doesn't solve my problem. public void valueUnbound(HttpSessionBindingEvent event) is getting called in a very inconsistent manner - gets called at a random point of time as best explained by the sample timings that I had posted in my original posting. I do have a filter that looks for a value in the session and it doesn't seem to work as outlined by David. This particular value exists in the session until the valueUnbound() event is called.
I better explain, I set the session timeout to 3 minutes and I added some logger debugs. Here is a sample
2006-05-23 15:55:27,875 [Servlet.Engine.Transports : 0] DEBUG **********.filter.SecurityFilter - Session Timeout (session.getMaxInactiveInterval()): 180 2006-05-23 15:55:27,875 [Servlet.Engine.Transports : 0] DEBUG **********.filter.SecurityFilter - Session created at (new Date(session.getCreationTime())): Tue May 23 15:51:30 PDT 2006 2006-05-23 15:55:27,875 [Servlet.Engine.Transports : 0] DEBUG **********.filter.SecurityFilter - Session last accessed (new Date(session.getLastAccessedTime())): Tue May 23 15:55:27 PDT 2006
As you can see, the time difference between session last accessed and session created is more than 3 minutes.
I'm facing the same problem! Did you solved the problem? I've a cluster environment with two nodes. The problem is that the session, doesn't timeout exactly after 5 minutes. When the requisition is on the first node, it works just fine but on the second node it never timeout. The memory-to-memory replication is activated, and the session timeout configurations are made for both nodes to 10 minutes.
This is an old post, but thought I would give a reply anyway. This is from an IBM redbook:
Note: For performance reasons, the session manager invalidation process
runs at regular intervals to invalidate any invalid sessions. This interval is
determined internally based on the Session timeout interval specified in the
Session manager properties. For the default timeout value of 30 minutes,
the invalidation process interval is around 300 seconds. In this case, it
could take up to 5 minutes (300 seconds) beyond the timeout threshold of
30 minutes for a particular session to become invalidated.