Re: disabling session management
Hi, you could also use a SessionListener an invalidate sessions immediately after being created or you could write your own implementation of |org.apache.catalina.Manager |http://tomcat.apache.org/tomcat-6.0-doc/config/manager.html and configure it to be used instead of the default manager. Can't be too difficult if jit ust has to serve as a NOP implementation... However I would prefer to figure out why sessions are unexpectedly created at all. Cheers, Michael Christopher Schultz wrote: Emerson, On 10/8/2010 10:25 AM, emerson wrote: We been doing some tuning on our TC environment and noticed that tomcat is holding 30 megabytes of classes related to session management. Which classes, specifically? This is on our middletier servler, where sessions are irrelevant. Okay, great. Is there a way to disabled session management for this server? Don't call request.getSession(). If you have JSPs (in a middle tier?), make sure they all have session=false in their @page directives. What is the impact of using session-timeout = 0? Your sessions will never time out, and your problem will likely get worse. We currently use 30 minutes for the session-timeout. You could always set it to 1 minute just to be sure they don't last very long if they are accidentally created. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- TNG Technology Consulting GmbH, Betastr. 13a, D-85774 Unterföhring Geschäftsführer: Henrik Klagges, Gerhard Müller, Christoph Stock Amtsgericht München, HRB 135082 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: disabling session management
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Emerson, On 10/11/2010 8:54 AM, emerson wrote: Thousands of Session instances inside the sessioins attribute of the org.apache.catalina.session.StandardManager. In theory we are not calling getSessions on the middle tier and as you mentioned, we have no JSPs either. Okay, so you have lots of HttpSession objects being created. :( However, we might be passing a jsession parameter from the frontend to the middle tier. Would that be an issue, causing the session to be created in the middle tier? That shouldn't affect anything: Tomcat will only create an HttpSession object if the code requests one. The client cannot force the creation of a session. That would be a pretty big DoS vulnerability. What is the impact of using session-timeout = 0? Your sessions will never time out, and your problem will likely get worse. In the only place I see any reference to it is here: http://tomcat.apache.org/tomcat-6.0-doc/api/org/apache/catalina/session/StandardSessionFacade.html#setMaxInactiveInterval(int) And it says that A negative time indicates the session should never timeout.. there is no mention about setting as 0. I thought I looked that up when I responded, but apparently I didn't. It's covered in SRV.7.5 of the servlet spec (v2.5) and you're right: -1 means never time out while 0 presumably means expire as soon as possible. The best way to find out what code is generating the sessions is to install an HttpSessionListener. I know that I've posted code previously to this list that will emit a stack trace to the application log when a session is created. You could look that up or simply write one from scratch. Hint: it's next to trivial to implement this. Good luck, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAky0z5oACgkQ9CaO5/Lv0PAY4QCgnTEcs/uIrDr8Gl7O4tPPwoTM TKgAoMI2GAqXSPvMMFvsYOkqrd6klb4o =BhGS -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: disabling session management
Hi Christopher Which classes, specifically? Thousands of Session instances inside the sessioins attribute of the org.apache.catalina.session.StandardManager. In theory we are not calling getSessions on the middle tier and as you mentioned, we have no JSPs either. However, we might be passing a jsession parameter from the frontend to the middle tier. Would that be an issue, causing the session to be created in the middle tier? What is the impact of using session-timeout = 0? Your sessions will never time out, and your problem will likely get worse. In the only place I see any reference to it is here: http://tomcat.apache.org/tomcat-6.0-doc/api/org/apache/catalina/session/StandardSessionFacade.html#setMaxInactiveInterval(int) And it says that A negative time indicates the session should never timeout.. there is no mention about setting as 0. Regards Emerson On 8 October 2010 15:35, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Emerson, On 10/8/2010 10:25 AM, emerson wrote: We been doing some tuning on our TC environment and noticed that tomcat is holding 30 megabytes of classes related to session management. This is on our middletier servler, where sessions are irrelevant. Okay, great. Is there a way to disabled session management for this server? Don't call request.getSession(). If you have JSPs (in a middle tier?), make sure they all have session=false in their @page directives. What is the impact of using session-timeout = 0? Your sessions will never time out, and your problem will likely get worse. We currently use 30 minutes for the session-timeout. You could always set it to 1 minute just to be sure they don't last very long if they are accidentally created. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyvLCgACgkQ9CaO5/Lv0PCOYgCfZTNhOQlUiCkqJ17HAjkOuBqp AP0Aniew/AE4rFaoKkTwGJGq5uOFRb7P =iXPl -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: disabling session management
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Emerson, On 10/8/2010 10:25 AM, emerson wrote: We been doing some tuning on our TC environment and noticed that tomcat is holding 30 megabytes of classes related to session management. Which classes, specifically? This is on our middletier servler, where sessions are irrelevant. Okay, great. Is there a way to disabled session management for this server? Don't call request.getSession(). If you have JSPs (in a middle tier?), make sure they all have session=false in their @page directives. What is the impact of using session-timeout = 0? Your sessions will never time out, and your problem will likely get worse. We currently use 30 minutes for the session-timeout. You could always set it to 1 minute just to be sure they don't last very long if they are accidentally created. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyvLCgACgkQ9CaO5/Lv0PCOYgCfZTNhOQlUiCkqJ17HAjkOuBqp AP0Aniew/AE4rFaoKkTwGJGq5uOFRb7P =iXPl -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
