Re: [jetty-users] Session timeout

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] Session timeout

From: Jan Bartel <janb@xxxxxxxxxxx>
Date: Wed, 6 Sep 2017 17:46:07 +1000
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>

John,

Ah hah! As I posted before, it seems you are not using the most recent jetty-9.4, because you are seeing this issue, which has since been fixed:

https://github.com/eclipse/jetty.project/issues/1224

And no, old versions of jetty did not invalidate the session as soon as they expired: we have always had a scavenger thread which periodically invalidated sessions that were found to be expired. Note that having changed the implementation in jetty-9.4, it is possible to do immediate invalidation, but it is not implemented because it is highly inefficient: consider a server that is using jdbc to store its sessions, individual expiry invalidation would incur a network roundtrip for every session.

As regards your session expiry observed timing, as I've said, you need to use a shorter scavenge interval than your session timeout.

And you need to update your version of jetty ;)

Jan

On 6 September 2017 at 16:36, John English <john.foreign@xxxxxxxxx> wrote:

On 06/09/2017 03:55, Jan Bartel wrote:

John,

As you can see on your log trace, each session contains a timer that
expires when the session maxInactiveInterval is reached. When the timer
expires, that session is queued for attention by the scavenger.

Why not call sessionDestroyed() at this point? I presume that this is what older versions of Jetty used to do, since sessionDestroyed() always used to be called at precisely the correct time and the session object was still accessible inside it. This would accord with the servlet spec where it says that sessiondestroyed() is called when "a session is *about to be* invalidated", not "some time after the session has been invalidated".

By default the scavenger thread only runs once every 10mins, so it is
timing dependent exactly when the session will be scavenged wrt when the
session expires.

And yet:

On 6 September 2017 at 01:26, John English <john.foreign@xxxxxxxxx
<mailto:john.foreign@xxxxxxxxx>> wrote:
Correction: with a 5 minute timeout and no DEBUG flag,
sessionDestroyed() gets called automatically after TWENTY minutes!

This is 15 minutes after the session expires, which is well outside the 10-minute period. So, hmm, I'm still baffled.

--
John English
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

Jan Bartel <janb@xxxxxxxxxxx>

www.webtide.com
Expert assistance from the creators of Jetty and CometD

Follow-Ups:
- Re: [jetty-users] Session timeout
  - From: John English
- Re: [jetty-users] Session timeout
  - From: John English

References:
- [jetty-users] Session timeout
  - From: John English
- Re: [jetty-users] Session timeout
  - From: Jan Bartel
- Re: [jetty-users] Session timeout
  - From: John English
- Re: [jetty-users] Session timeout
  - From: John English
- Re: [jetty-users] Session timeout
  - From: Jan Bartel
- Re: [jetty-users] Session timeout
  - From: John English

Prev by Date: Re: [jetty-users] Session timeout
Next by Date: Re: [jetty-users] Session timeout
Previous by thread: Re: [jetty-users] Session timeout
Next by thread: Re: [jetty-users] Session timeout
Index(es):
- Date
- Thread

Breadcrumbs