I have configured a 20 minute session timeout in the web.xml file of my war. But I am calling my servlet to keep the session active after 20 minutes using this JavaScript code:
setInterval(function () {
$.get("sessionKeepAlive");
}, 240000);
Everything is working fine in the Dev environment, but in QA it's not working. We are using a load-balancer in QA. I want to know if there is anything that we can change in the server configuration cse to get around this issue.
web.xml:
<session-config>
<session-timeout>10</session-timeout>
</session-config>
Ok there can be a number of things to look at:
Since you are using a Load Balancer, it suggests you are using multiple Java servers (app servers or servlet containers) - you should ensure your Session sharing (clustering) mechanism is properly configured. Also, your back-end server may require you to add the <distributable /> tag to your web.xml. (The downside of this approach is that sharing sessions across more than a handful of back-end servers is not really advisable, unless absolutely necessary)
An alternative option to using clustering/session sharing, as mentioned by #piet.t is to ensure that Session stickiness is enabled on your load balancer - this would ensure that requests using the same session always go back to the same server. (The downside of this approach is that you risk losing a lot of sessions if 1 server dies)
As #JB Nizet suggested in the comments above, you should ensure your AJAX GET request is not being returned from the browser cache - this is sometimes done by adding a random number to each GET request (eg. The time in milliseconds)
Thanks all for your reply :)
I just checked and found that the session stickiness time on the load-balancer is 3 minutes. This means the load-balancer can send the request to any server after 3 minutes even if the session is active.
For time being I have changed the js method, and later I will update the session active time on the load-balancer.
setInterval(function () {
$.get("sessionKeepAlive");
}, 240000);
Related
Is it possible to define the scope of a whole spring project such as session, request etc?
I have a spring project which is only used as a web service to provide services to other projects, which are forming the application together. In the web service project there are many endpoints which are all accessed via soapMessages from other projects when necessary.
What I would like to achieve is that everytime this web service project responds to its clients, it should close the connection immediatly. I found following solutions but they are not really solutions to this problem:
In the web.xml file I added
<session-config>
<session-timeout>10</session-timeout>
</session-config>
but this is not doing what I would like to do, as it is closing all the sessions every 10 minutes.
I created .htaccess file and added
<IfModule mod_headers.c>
Header set Connection close
</IfModule>
apperently this is not even being evaluated by Tomcat and you can only set these properties in the global scope of the server which wouldnt be project specific and apply to all the applications in that server.
By the way I am aware that closing the connection and reopening it at every request will reduce the performance.
You can use try with resource, every time you receive a request on the API. You can open the session with try-with-resource and use that session for entire flow, than after the response, the session will be closed automatically with the scope.
Eg :
try (Session session = sessionFactory.openSession()) {
Response resp = service.doSomething(session);
return resp;
}
There is a very weird problem with our Tomcat 8.0.32 installed under Ubuntu 16.x.
This problem starts to happen accidentally and exists until tomcat server restart (so it is reproducible after it begins happen).
What happens, is that some of the requests send by timer from JS application with proper cookie: JSESSIONID= value are improperly processed: the Tomcat can not find Session object for it (from Spring MVC layer it means, that user is not authenticated). All requests with the same JSESSIONID being sent before this broken request, and all requests being send after (again with the same value of session id) - they all work fine!
We also certainly see that all headers in that request are correct (they are printed out by our application in some Filter), but Session object is not restored.
So basically it sounds like under some circumstances the Tomcat starts ignoring JSESSIONID from the requests sent via redirect from another server. And again, this does not happen always, only after some time of web-application life.
I will not provide any code here or configuration settings. First, because it looks like the poor Tomcat problem, second, because configuration is standard (out of the box after apt-install).
My question is: how can we configure the Tomcat in order to log all operations related to the JSESSIONID processing? Like that it finds session for the given ID, or does not and so on.
UPD: This never happens with more newer version of Tomcat 8.5.5. But due to some reasons it can not be updated on that particular server. My current goal is to collect evidences about this behaviour to be sure that it is a bug, or some strange default configuration that tomcat installation.
According to the docs https://tomcat.apache.org/tomcat-8.0-doc/logging.html
to enable debug logging for part of Tomcat's internals, you should configure both the appropriate logger(s) and the appropriate handler(s) to use the FINEST or ALL level. e.g.:
org.apache.catalina.session.level=ALL
java.util.logging.ConsoleHandler.level=ALL
I need to know if its possible to set a forced session time-out at a WEB SERVER level, that basically after x period of time, kicks the user from the session either it is active or inactive or better saying WEBSERVER to delete the session linked to the client.
Can this be achieved without development intervention on the application side?
Is this possible to do it with Tomcat? Thank you.
You can do it through Tomcat default web.xml configuration
<session-config>
<session-timeout>10</session-timeout> <!-- 10 minutes -->
</session-config>
For full reference: https://tomcat.apache.org/tomcat-5.5-doc/appdev/web.xml.txt
The file can be located in conf/web.xml (relative to your tomcat installation)
Edit
You can also invalidate a given session using session.invalidate() method
you can set the time when you create a session using setMaxInactiveInterval(int interval);
either make it constant or fetch from database depending on users time..!
I've enabled sessions on my app:
// appengine-web.xml
<sessions-enabled>true</sessions-enabled>
they seem to work when I load different pages under my domain. If I close the browser however, looks like the session is terminated. Restarting the browser shows the last session is no longer available.
That could be fine, just wondering if this is documented anywhere, so I can rely on this fact?
I tried the following just to test if we can tweak it:
// in web.xml
<session-config>
<session-timeout>10</session-timeout>
</session-config>
also
// in my servlet
getThreadLocalRequest().getSession().setMaxInactiveInterval(60 * 5);
but same behavior, session data is no longer available after browser restart.
I looked at the stats for my project and I see data being used for something like "_ah_SESSION" objects. Are those the sessions from above? If so, shouldn't they be cleaned since they're no longer valid? (Hopefully gae takes care of that automatically?)
Thanks
Using Google accounts, session expiry is actually handled in the App Engine admin console, not through Java. Log in to your admin console at http://appengine.google.com/ and select 'Application Settings', then change 'Cookie Expiration' to whatever period suits you best.
That is how a session works. JSESSIONID typically holds the session ID in the HTTP.
When the browser closes the session the session still stays active in the server and all expired sessions are freed after a period of time.
When you reopen a new browser session the browser has no idea on any previous sessions so a new one is created.
There are workarounds for this...
- Create a Cookie
- Store a unique variable in a hidden form field and use that.
- URL rewriting
By default Jetty* sets a JSESSIONID cookie ( session based ) which means that it will be deleted after your browser is closed.
When the browser is opened again, a new JSESSIONID cookie will be created and the previous session context is lost.
If you want to keep the cookie alive for longer then just add the following configuration on your web.xml:
Set cookie expiration time
<context-param>
<param-name>org.mortbay.jetty.servlet.MaxAge</param-name>
<!-- amount of seconds (1 month in this case) -->
<param-value>2592000</param-value>
</context-param>
Additionally you should let google know for how long shall it keep the sessions in _ah_SESSION
Set session expiration time
<session-config>
<!-- minutes of inactivity: (1 month in this case) -->
<session-timeout>43200</session-timeout>
</session-config>
*Other Jetty configurations can be found here: https://wiki.eclipse.org/Jetty/Howto/SessionIds
If I do not specify the following in my web.xml file:
<session-config>
<session-timeout>10</session-timeout>
</session-config>
What will be my default session timeout? (I am running Tomcat 6.0)
If you're using Tomcat, it's 30 minutes. You can read more about it here.
You can also set this in code, for a specific session using the HttpSession setMaxInactiveInterval API:
Specifies the time, in seconds,
between client requests before the
servlet container will invalidate this
session. A negative time indicates the
session should never timeout.
I mention this in case you see timeouts that are not 30 minutes, but you didn't specify another value (e.g. another developer on the project used this API).
Another item to note is this timeout may not trigger on the exact second the session is eligible to expire. The Java EE server may have a polling thread that checks for expired sessions every minute. I don't have a reference for this, but have seen this behavior in the WebSphere 5.1 era.
I'm sure it depends on your container. Tomcat is 30 minutes.
Session Time out we can specify for that particular context in web.xml file as mentined below entry
60
Default Session time out is 30 mins