Discussion:
[OT] What can prevent sessions from timeouting apart from real requests
Leon Rosenberg
2018-08-24 09:25:18 UTC
Permalink
Hi,

one of the systems we are consulting has encountered a strange problem. The
sessions will build up indefinitely but never expire. Then, at one point
(at 02am in the night, 19K sessions would drop at once).
Of course the simplest explanation would be that someone is actively
requests something every 15 minutes (session timeout) keeping track of the
JSESSIONID. We are trying to track this through the access_log and such.
However, my question, is it possible to prevent session from timeouting by
doing something stupid code-wise? Like storing a session in a hashmap
somewhere, and accessing some attributes from time to time? My
understanding was that the session timeout is solely dependent on incoming
requests and handled by the container, but I was not 100% sure ;-)

Thanks in advance
Leon
Christopher Schultz
2018-08-26 23:51:02 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Leon,
Post by Leon Rosenberg
one of the systems we are consulting has encountered a strange
problem. The sessions will build up indefinitely but never expire.
Then, at one point (at 02am in the night, 19K sessions would drop
at once). Of course the simplest explanation would be that someone
is actively requests something every 15 minutes (session timeout)
keeping track of the JSESSIONID. We are trying to track this
through the access_log and such. However, my question, is it
possible to prevent session from timeouting by doing something
stupid code-wise? Like storing a session in a hashmap somewhere,
and accessing some attributes from time to time? My understanding
was that the session timeout is solely dependent on incoming
requests and handled by the container, but I was not 100% sure ;-)
A few ideas:

1. The background thread has died. Probably not, as the sessions
eventually expire... just way later than expected. Also, the
background thread would not be running anymore, which I think you
would have noticed.

2. Some process has blocked the background thread. For example, a very
long-running HttpSessionListener.sessionDestroyed method. I'm guessing
you would have already noticed a stuck background thread, though.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluDPOYACgkQHPApP6U8
pFjOJw/8CGIxOEEWKd1rk28PcErF6LPvDBQLVTECO+miQt8SoJPzuwpICnX/mPut
IliUdiPTSPplb7CHr1vsMfLGrVxOo1fD7xuQ22lMVFD8B23pe6WXwTreUnzJouDw
pO9rV2mhjc6x1OaE29iCyFqbCNsswANdRcLrFAkAkdDc/ZlY1tw4VrnXPKG+uaQD
sJP1lei0poek5ZOvMvG87JMC8Pe7veuUSKvO1c1q+NL3MAuI/XZWTaiJ7SRSj8JW
m2paNQX+9/neHZZ0mOAuAjXTqllLGnThQTNCyaqqtXtqk4TftHYp5Tz9hBhXSXh3
+gEzbPMp5m5tWXCpdrXIFqqEArDgUpWpNGijgmMhE9e+eTYvEuadA+rMIeOr4IVO
CI2QQCVzZ2vOqMd9Xa/ii0gyOjjZMYUf7qxLqBxZ6NxIFnXr+MJXBGVuFe5hvsdX
hcAuzkTy9rt6pgAO6O+5YUD7d6KRCjg4bHP1614bcZgsPiwNT98ECJq22FhiEDFF
l8zb7svG56qWFvsIkXAGVKSC5FT8NO9XFS9soMfIxZi0GVQS9z6qRbNDoKeO6gfI
e9S+Rd7a/kogTODSBsoGl1pK/5DLF1uPLyE0HLHnvfFTgnvPU0hJy94xDQ9tiAA9
iCA9EaIak3nxy/7qAONpgEghkXHplk94ObGzZ3qj3TW0x7h4uMk=
=3Wbc
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Jäkel, Guido
2018-08-27 07:07:25 UTC
Permalink
Dear Leon,

I suggest to use the Tomcat Manager Application to investigate the session data:

* Use the Session Display (/manager/html/sessions?path=/foo) to take a look on the different Timers (Creation Time, Last Accessed Time, Used Time, Inactive Timemm,TTL) or even the session data

* Use the Connector Scoreborads on the Server Status Display (/manager/status) to detect stuck requests. I'm not sure if a stuck request may prevent a session cleanup (especially of "other" sessions)

Another approach may be to snapshot a memory dump and investigate the session objects, e.g. with the Eclipse Memory Analyze Tool (aka MAT).

Greetings

Guido
-----Original Message-----
Sent: Friday, August 24, 2018 11:25 AM
Subject: [OT] What can prevent sessions from timeouting apart from real requests
Hi,
one of the systems we are consulting has encountered a strange problem. The
sessions will build up indefinitely but never expire. Then, at one point
(at 02am in the night, 19K sessions would drop at once).
Of course the simplest explanation would be that someone is actively
requests something every 15 minutes (session timeout) keeping track of the
JSESSIONID. We are trying to track this through the access_log and such.
However, my question, is it possible to prevent session from timeouting by
doing something stupid code-wise? Like storing a session in a hashmap
somewhere, and accessing some attributes from time to time? My
understanding was that the session timeout is solely dependent on incoming
requests and handled by the container, but I was not 100% sure ;-)
Thanks in advance
Leon
Т���������������������������������������������������������������������ХF�V�7V'67&�&R�R���âW6W'2�V�7V'67&�&TF��6B�6�R��&pФf�"FF�F����6����G2�R�
Leon Rosenberg
2018-08-27 14:16:12 UTC
Permalink
Hi, actually the issue got resolved. The system in question wasn't tomcat
but jboss (hence the offtopic) and in particular undertow. Undertow seems
to have completely different session expiration handling than tomcat, they
actually prolong expiration timestamp every time an attribute is accessed...

Thanks for the insights!

Leon
Post by Jäkel, Guido
Dear Leon,
* Use the Session Display (/manager/html/sessions?path=/foo) to take a
look on the different Timers (Creation Time, Last Accessed Time, Used Time,
Inactive Timemm,TTL) or even the session data
* Use the Connector Scoreborads on the Server Status Display
(/manager/status) to detect stuck requests. I'm not sure if a stuck request
may prevent a session cleanup (especially of "other" sessions)
Another approach may be to snapshot a memory dump and investigate the
session objects, e.g. with the Eclipse Memory Analyze Tool (aka MAT).
Greetings
Guido
-----Original Message-----
Sent: Friday, August 24, 2018 11:25 AM
Subject: [OT] What can prevent sessions from timeouting apart from real
requests
Hi,
one of the systems we are consulting has encountered a strange problem.
The
sessions will build up indefinitely but never expire. Then, at one point
(at 02am in the night, 19K sessions would drop at once).
Of course the simplest explanation would be that someone is actively
requests something every 15 minutes (session timeout) keeping track of the
JSESSIONID. We are trying to track this through the access_log and such.
However, my question, is it possible to prevent session from timeouting by
doing something stupid code-wise? Like storing a session in a hashmap
somewhere, and accessing some attributes from time to time? My
understanding was that the session timeout is solely dependent on incoming
requests and handled by the container, but I was not 100% sure ;-)
Thanks in advance
Leon
Loading...