Session invalidation is not working

Technote (FAQ)
Problem
Session is not invalidated after specified timeout (MaxInactiveInterval).
Solution
HTTP Sessions are invalidated one of two ways:
  • The application calls the invalidate() method on the session object.
  • The session is not accessed for a period that is longer than the specified session timeout (MaxInactiveInterval) in the WebSphere® Application Server session manager.

Sessions that are invalidated explicitly by application code are invalidated immediately. Sessions that are not invalidated by application code are invalidated by the session manager. This document describes how this process works.

How does the WebSphere Application Server session manager invalidate sessions?

A session is eligible for invalidation if it has not been accessed for a period that is longer than the specified session timeout (MaxInactiveInterval) . The session manager has an invalidation process thread that runs every X seconds to invalidate sessions that are eligible for invalidation. The session manager uses a formula to determine the value of X. The value of X is calculated based on MaxInactiveInterval specified in the session manager and is referred to as the ReaperInterval.

For example:
  • For a maximum inactive interval of <15 minutes, the ReaperInterval (value of X) is approximately 60 to 90 seconds
  • For a maximum inactive interval of >15 minutes the ReaperInterval (value of X) is approximately 300 to 360 seconds


When does the session actually get invalidated by the session manger?

A session is invalidated when the MaxInactiveInterval is met and the ReaperInterval passes. After a session is eligible for invalidation, the invalidation thread must run for it to be invalidated. As a result, a session might not be invalidated for MaxInactiveInterval + ReaperInterval seconds.

Can the ReaperInterval be controlled?

You can specify custom value for ReaperInterval using a Java™ virtual machine (JVM™) system property.
    For WebSphere Application Server V3.5.6 or higher and V4.0.2 or higher:
    -DSessionReaperInterval=<interval>(in seconds)

    For all releases of WebSphere Application Server V5.0:
    -DHttpSessionReaperPollInterval=<interval>(in seconds)

Sessions are eligible for invalidation as soon as their maximum inactive interval expires, but are not actually invalidated until the reaper runs, which might be up to 6 minutes later. You can use this property to force the reaper to run more often, like every 60 seconds. Note that the more often the reaper runs, the more overhead it takes, so it can negatively impact performance. Values less than 60 seconds are not recommended.











Document Information

Product categories: Software, Application Servers, Distributed Application & Web Servers, WebSphere Application Server, Sessions and Session Management
Operating system(s): Multi-Platform
Software version: 3.5, 4.0, 5.0
Software edition: Edition Independent
Reference #: 1127478
IBM Group: Software Group
Modified date: 2004-03-03