Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Random Session Invalidation

I am running a J2EE web application in Tomcat, and recently I have been tasked with adding metrics to the application. I am using a SessionListener to detect when the session is destroyed, and then uploading the metrics to a database. My Session timeout is set in my web.xml to 30 minutes, and I am not invalidating the session anywhere programmatically. Often during 1 5-10 minute period of me logging in for testing, I will see 3 or 4 sets of metrics uploaded to the database, all with different session id's.

Besides web.xml and session.invalidate(), what else can cause a session in Tomcat to be destroyed? Exceptions? Will Tomcat ever randomly invalidate sessions?

like image 565
jconlin Avatar asked Apr 20 '09 20:04

jconlin


1 Answers

Possibly your webbrowser has decided to not sent the session cookie on a request to the webapplication, where your application would have expected one. I have seen this happen with an apache rewrite rule; an URL outside the session-cookie path was redirected to the web-application. There something like the folowing happened (details may be wrong):

  • my web application was located at /app/
  • thus the session cookie was bound to this path /app/
  • a page in the webapplication referred to /img/magic.jpeg
  • the browser did not sent the session cookie in its request for this image (path did not match)
  • the server redirected the request (internally) to /app/createImage?magic
  • the web application did not receive a session cookie, so it created a new session

You should be able to see if this causes your problem if you log the initial URL for new sessions.

like image 102
beetstra Avatar answered Oct 15 '22 21:10

beetstra