Re: [jetty-users] Session timeout

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] Session timeout

From: John English <john.foreign@xxxxxxxxx>
Date: Wed, 6 Sep 2017 09:25:36 +0300
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0

On 06/09/2017 03:55, Jan Bartel wrote:

John,

As you can see on your log trace, each session contains a timer that
expires when the session maxInactiveInterval is reached. When the timer
expires, that session is queued for attention by the scavenger.  By
default the scavenger thread only runs once every 10mins, so it is
timing dependent exactly when the session will be scavenged wrt when the
session expires. Note that an expired session that has not yet been
scavenged is not able to be used, as you have discovered.  The servlet
spec does not stipulate any relationship between when a session expires
and when the sessionDestroyed listeners will be called, only that an
expired session cannot be used, and that the listener must be called
when the session is actually invalidated (expiry and invalidation being
2 different things).


OK. However, what I see in the spec for HttpSessionListener is this:

void sessionDestroyed(HttpSessionEvent se)
    Receives notification that a session is about to be invalidated.

That "about to be" suggests that the session should not be invalidateduntil after sessionDestroyed() has returned, and should therefore stillbe accessible inside sessionDestroyed(). Certainly when debugging I cansee that the session object still exists, and still contains my "state"attribute -- and of course I used to be able to access it in allprevious versions of Jetty back to the early 2000's when I firstdeployed this app in a production setting.

If your interpretation of the servlet spec is correct, then it wouldappear that now my app will need to maintain its own HashMap of sessionIDs to state info if I want to be able to write log messages to recordsessions being invalidated with information about which user it was etc.

In this I might as well not store anything in the session itself andjust use the session ID to access my HashMap (assuming I can stillaccess the session ID inside sessionDestroyed(), which I haven't triedyet). This seems rather silly, since the primary purpose of the sessionobject is to maintain this sort of information for me.

--
John English

References:
- [jetty-users] Session timeout
  - From: John English
- Re: [jetty-users] Session timeout
  - From: Jan Bartel
- Re: [jetty-users] Session timeout
  - From: John English
- Re: [jetty-users] Session timeout
  - From: John English
- Re: [jetty-users] Session timeout
  - From: Jan Bartel

Prev by Date: Re: [jetty-users] Session timeout
Next by Date: Re: [jetty-users] Session timeout
Previous by thread: Re: [jetty-users] Session timeout
Next by thread: Re: [jetty-users] Session timeout
Index(es):
- Date
- Thread

Breadcrumbs