|
Abstract |
Under certain circumstances, the WebSphere® Application
Server Session Manager will reuse a SessionID. This document describes
these circumstances. |
|
Content |
In WebSphere Application Server v5.0, v5.1, V6.0 and v6.1
releases, the Session Manager will reuse a SessionID under the following
circumstances:
- SessionID is in use in another webModule:
If the incoming SessionID is in use in another webModule, it will
be used as part of the unique identifier for the new session object. What
makes a session object unique is the combination of the SessionID and the
WebModule name. This allows a client to access multiple session objects
(one session object per webModule) while only having one cookie.
- SessionID is NOT in use in another WebModule. However, it is
located in the list of recently invalidated sessions (persistence
only):
When using any type of session persistence, such as
memory-to-memory or database, a client that has previously established a
session, invalidated it, and subsequently makes a request to establish a
new session without closing the browser will be returned a new session
object with the same SessionID. The session manager will only reuse this
SessionID if it is found in a list of recently invalidated sessions. This
only occurs when using a method of persistence. When the Session Manager
is configured to only use in-memory sessions, a new SessionID will be
generated.
The purpose of this default behavior is to increase performance in a
clustered environment where persistent sessions are used. It eliminates a
query to the database or a query to memory-to-memory (DRS) persistence. If
this behavior is not desired, it can be disabled by setting the JVM system
property "UseInvalidatedId" to the value of "false" as shown
in the following screen image:
If session trace is enabled, you can observe the behavior of the Session
Manager getting the Session ID from the list of recently invalidated
sessions.
The following is a trace example using Session ID
"oyixQgEg8l3Ta-DbNExU3bZ" as an example. (Note: The following
trace statements come from WebSphere 5.1.1.1 and might differ form other
releases of WebSphere.)
Trace reveals that session "oyixQgEg8l3Ta-DbNExU3bZ" is
invalidated:
...
The same client makes a request and it's session cookie has the same
session ID as previously used:
...
Later in the trace you will see that the Session Manager indicates the
session is not a valid session.
...
The Session Manger then check to see if the session is in use.
...
For this example "IsSessionIDInUse" is false.
...
The following trace statements show that Session Manager found the session
ID in the list of recently used session IDs and creates a session
...
This trace statement prior to the createSession is a little misleading
since the session manager does not actually go to the database. It obtains
this ID from a in-memory list of recently invalidated sessions and creates
the session. |
|
|