Session management settings
Use this page to manage HTTP session support. This support includes specifying...
- a session tracking mechanism
- setting maximum in-memory session count
- controlling overflow
- configuring session timeout
To view this administrative console page, click...
Servers | Application servers | servername | Web container settings | Session management
Configuration tab
- Override session management
Whether or not these session management settings take precedence over those normally inherited from a higher level for the current application or web module.
By default, web modules inherit session management settings from the application level above it, and applications inherit session management settings from the Web container level above it.
- Session tracking mechanism
Mechanism for HTTP session management.
Mechanism Function Default Enable SSL ID Tracking Session tracking uses SSL information as a session ID. Enabling SSL tracking takes precedence over cookie-based session tracking and URL rewriting.
There are two parameters available if you enable SSL ID tracking:
- SSLV3Timeout
- SAS
SSLV3Timeout specifies the time interval after which SSL sessions are renegotiated. This is a high setting and modification does not provide any significant impact on performance.
SAS parameter establishes an SSL connection only if it goes out of the JVM to another JVM. If all the beans are co-located within the same JVM, the SSL used by SAS does not hinder performance.
These are set by editing the sas.server.properties and sas.client.props files located in...
$WAS_INSTALL\properties9600 seconds Enable cookies Session tracking uses cookies to carry session IDs. If cookies are enabled, session tracking recognizes session IDs that arrive as cookies and tries to use cookies for sending session IDs. If cookies are not enabled, session tracking uses URL rewriting instead of cookies (if URL rewriting is enabled).
Enabling cookies takes precedence over URL rewriting. Do not disable cookies in the session management facility of the application server that is running the administrative application because this action causes the administrative application not to function after a restart of the server. As an alternative, run the administrative application in a separate process from your applications.
Click Modify to change these settings.
Enable URL rewriting Session management facility uses rewritten URLs to carry the session IDs. If URL rewriting is enabled, the session management facility recognizes session IDs that arrive in the URL if the encodeURL method is called in the servlet.
Enable protocol switch rewriting Session ID is added to a URL when the URL requires a switch from HTTP to HTTPS or from HTTPS to HTTP. If rewriting is enabled, the session ID is required to go between HTTP and HTTPS. - Maximum in-memory session count
Specifies the maximum number of sessions to maintain in memory.
The meaning differs depending on whether you are using in-memory or distributed sessions.
For in-memory sessions, this value specifies the number of sessions in the base session table. Use the Allow overflow property to specify whether to limit sessions to this number for the entire session management facility or to allow additional sessions to be stored in secondary tables. For distributed sessions, this value specifies the size of the memory cache for sessions. When the session cache has reached its maximum size and a new session is requested, the session management facility removes the least recently used session from the cache to make room for the new one.
- Allow overflow
Specifies that the number of sessions in memory can exceed the value specified by the Max in-memory session count property. This option is valid only in non-distributed sessions mode.
- Session timeout
Specifies how long a session can go unused before it is no longer valid. Specify either Set timeout or No timeout. Specify the value in minutes greater than or equal to two.
The value specified in a web module deployment descriptor file takes precedence over the administrative console settings. However, the value of this setting is used as a default when the session timeout is not specified in a web module deployment descriptor. Note that to preserve performance, the invalidation timer is not accurate to the second. When the write frequency is time based, ensure that this value is least twice as large as the write interval.
- Security integration
Specifies that when security integration is enabled, the session management facility associates the identity of users with their HTTP sessions
- Serialize session access
Specifies that concurrent session access in a given server is not allowed.
Maximum wait time Specifies the maximum amount of time a servlet request waits on an HTTP session before continuing execution. This parameter is optional and expressed in seconds. The default is 120 seconds, or 2 minutes. Under normal conditions, a servlet request waiting for access to an HTTP session gets notified by the request that currently owns the given HTTP session when the request finishes. Allow access on timeout Specifies whether the servlet is executed normally or aborted in the event of a timeout. If this box is checked, the servlet executes normally. If this box is not checked, the servlet execution aborts and error logs are generated.