You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by emerson <ec...@gmail.com> on 2010/10/08 16:25:58 UTC
disabling session management
We been doing some tuning on our TC environment and noticed that
tomcat is holding 30 megabytes of classes related to session
management.
This is on our middletier servler, where sessions are irrelevant.
Is there a way to disabled session management for this server?
What is the impact of using session-timeout = 0?
We currently use 30 minutes for the session-timeout.
Regards
Emerson
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: disabling session management
Posted by Michael Echerer <me...@tngtech.com>.
Hi,
you could also use a SessionListener an invalidate sessions immediately
after being created or you could write your own implementation of
|org.apache.catalina.Manager
|http://tomcat.apache.org/tomcat-6.0-doc/config/manager.html and
configure it to be used instead of the default manager.
Can't be too difficult if jit ust has to serve as a NOP
implementation... However I would prefer to figure out why sessions are
unexpectedly created at all.
Cheers,
Michael
Christopher Schultz wrote:
> Emerson,
>
> On 10/8/2010 10:25 AM, emerson wrote:
> > We been doing some tuning on our TC environment and noticed that
> > tomcat is holding 30 megabytes of classes related to session
> > management.
>
> Which classes, specifically?
>
> > This is on our middletier servler, where sessions are irrelevant.
>
> Okay, great.
>
> > Is there a way to disabled session management for this server?
>
> Don't call request.getSession(). If you have JSPs (in a middle tier?),
> make sure they all have session="false" in their <@page> directives.
>
> > What is the impact of using session-timeout = 0?
>
> Your sessions will never time out, and your problem will likely get worse.
>
> > We currently use 30 minutes for the session-timeout.
>
> You could always set it to 1 minute just to be sure they don't last very
> long if they are accidentally created.
>
> -chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
--
TNG Technology Consulting GmbH, Betastr. 13a, D-85774 Unterföhring
Geschäftsführer: Henrik Klagges, Gerhard Müller, Christoph Stock
Amtsgericht München, HRB 135082
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: disabling session management
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Emerson,
On 10/11/2010 8:54 AM, emerson wrote:
> Thousands of Session instances inside the sessioins attribute of the
> org.apache.catalina.session.StandardManager.
> In theory we are not calling getSessions on the middle tier and as you
> mentioned, we have no JSPs either.
Okay, so you have lots of HttpSession objects being created. :(
> However, we might be passing a jsession parameter from the frontend to
> the middle tier. Would that be an issue, causing the session to be
> created in the middle tier?
That shouldn't affect anything: Tomcat will only create an HttpSession
object if the code requests one. The client cannot force the creation of
a session. That would be a pretty big DoS vulnerability.
>>> What is the impact of using session-timeout = 0?
>>
>> Your sessions will never time out, and your problem will likely get worse.
>
> In the only place I see any reference to it is here:
> http://tomcat.apache.org/tomcat-6.0-doc/api/org/apache/catalina/session/StandardSessionFacade.html#setMaxInactiveInterval(int)
>
> And it says that "A negative time indicates the session should never
> timeout.". there is no mention about setting as "0".
I thought I looked that up when I responded, but apparently I didn't.
It's covered in SRV.7.5 of the servlet spec (v2.5) and you're right: -1
means "never time out" while 0 presumably means "expire as soon as
possible".
The best way to find out what code is generating the sessions is to
install an HttpSessionListener. I know that I've posted code previously
to this list that will emit a stack trace to the application log when a
session is created. You could look that up or simply write one from
scratch. Hint: it's next to trivial to implement this.
Good luck,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAky0z5oACgkQ9CaO5/Lv0PAY4QCgnTEcs/uIrDr8Gl7O4tPPwoTM
TKgAoMI2GAqXSPvMMFvsYOkqrd6klb4o
=BhGS
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: disabling session management
Posted by emerson <ec...@gmail.com>.
Hi Christopher
> Which classes, specifically?
Thousands of Session instances inside the sessioins attribute of the
org.apache.catalina.session.StandardManager.
In theory we are not calling getSessions on the middle tier and as you
mentioned, we have no JSPs either.
However, we might be passing a jsession parameter from the frontend to
the middle tier. Would that be an issue, causing the session to be
created in the middle tier?
>> What is the impact of using session-timeout = 0?
>
> Your sessions will never time out, and your problem will likely get worse.
In the only place I see any reference to it is here:
http://tomcat.apache.org/tomcat-6.0-doc/api/org/apache/catalina/session/StandardSessionFacade.html#setMaxInactiveInterval(int)
And it says that "A negative time indicates the session should never
timeout.". there is no mention about setting as "0".
Regards
Emerson
On 8 October 2010 15:35, Christopher Schultz
<ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Emerson,
>
> On 10/8/2010 10:25 AM, emerson wrote:
>> We been doing some tuning on our TC environment and noticed that
>> tomcat is holding 30 megabytes of classes related to session
>> management.
>
>
>> This is on our middletier servler, where sessions are irrelevant.
>
> Okay, great.
>
>> Is there a way to disabled session management for this server?
>
> Don't call request.getSession(). If you have JSPs (in a middle tier?),
> make sure they all have session="false" in their <@page> directives.
>
>> What is the impact of using session-timeout = 0?
>
> Your sessions will never time out, and your problem will likely get worse.
>
>> We currently use 30 minutes for the session-timeout.
>
> You could always set it to 1 minute just to be sure they don't last very
> long if they are accidentally created.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkyvLCgACgkQ9CaO5/Lv0PCOYgCfZTNhOQlUiCkqJ17HAjkOuBqp
> AP0Aniew/AE4rFaoKkTwGJGq5uOFRb7P
> =iXPl
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: disabling session management
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Emerson,
On 10/8/2010 10:25 AM, emerson wrote:
> We been doing some tuning on our TC environment and noticed that
> tomcat is holding 30 megabytes of classes related to session
> management.
Which classes, specifically?
> This is on our middletier servler, where sessions are irrelevant.
Okay, great.
> Is there a way to disabled session management for this server?
Don't call request.getSession(). If you have JSPs (in a middle tier?),
make sure they all have session="false" in their <@page> directives.
> What is the impact of using session-timeout = 0?
Your sessions will never time out, and your problem will likely get worse.
> We currently use 30 minutes for the session-timeout.
You could always set it to 1 minute just to be sure they don't last very
long if they are accidentally created.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkyvLCgACgkQ9CaO5/Lv0PCOYgCfZTNhOQlUiCkqJ17HAjkOuBqp
AP0Aniew/AE4rFaoKkTwGJGq5uOFRb7P
=iXPl
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org