Session Manager will reuse a SessionID in the creation of a new HTTP session in certain circumstances
 Flash (Alert)
 
Abstract
Under certain circumstances, the WebSphere® Application Server Session Manager will reuse a SessionID. This document describes these circumstances.
 
Content
In WebSphere Application Server v5.0, v5.1, V6.0 and v6.1 releases, the Session Manager will reuse a SessionID under the following circumstances:
  1. SessionID is in use in another webModule:

    If the incoming SessionID is in use in another webModule, it will be used as part of the unique identifier for the new session object. What makes a session object unique is the combination of the SessionID and the WebModule name. This allows a client to access multiple session objects (one session object per webModule) while only having one cookie.

  2. SessionID is NOT in use in another WebModule. However, it is located in the list of recently invalidated sessions (persistence only):

    When using any type of session persistence, such as memory-to-memory or database, a client that has previously established a session, invalidated it, and subsequently makes a request to establish a new session without closing the browser will be returned a new session object with the same SessionID. The session manager will only reuse this SessionID if it is found in a list of recently invalidated sessions. This only occurs when using a method of persistence. When the Session Manager is configured to only use in-memory sessions, a new SessionID will be generated.

    The purpose of this default behavior is to increase performance in a clustered environment where persistent sessions are used. It eliminates a query to the database or a query to memory-to-memory (DRS) persistence. If this behavior is not desired, it can be disabled by setting the JVM system property "UseInvalidatedId" to the value of "false" as shown in the following screen image:




If session trace is enabled, you can observe the behavior of the Session Manager getting the Session ID from the list of recently invalidated sessions.

The following is a trace example using Session ID "oyixQgEg8l3Ta-DbNExU3bZ" as an example. (Note: The following trace statements come from WebSphere 5.1.1.1 and might differ form other releases of WebSphere.)

Trace reveals that session "oyixQgEg8l3Ta-DbNExU3bZ" is invalidated:

...
The same client makes a request and it's session cookie has the same session ID as previously used:

...
Later in the trace you will see that the Session Manager indicates the session is not a valid session.
...
The Session Manger then check to see if the session is in use.

...
For this example "IsSessionIDInUse" is false.

...
The following trace statements show that Session Manager found the session ID in the list of recently used session IDs and creates a session

...
This trace statement prior to the createSession is a little misleading since the session manager does not actually go to the database. It obtains this ID from a in-memory list of recently invalidated sessions and creates the session.
 
Related information
MustGather: Session Management problems in V5
MustGather: Session Management problems in V6
 
 
Cross Reference information
Segment Product Component Platform Version Edition
Application Servers Runtimes for Java Technology Java SDK
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > Sessions and Session Management
Operating system(s): Windows
Software version: 6.1
Software edition:
Reference #: 1179195
IBM Group: Software Group
Modified date: Feb 6, 2007