10.9 Invalidating sessions
This section discusses invalidating sessions when the user no longer needs the session object. for example, when the user has logged off a site. Invalidating a session removes it from the session cache, as well as from the persistent store.
WebSphere offers three methods for invalidating session objects:
- Programmatically, use the invalidate() method on the session object. If the session object is accessed by multiple threads in a Web application, be sure that none of the threads still have references to the session object.
- An invalidator thread scans for timed-out sessions every n seconds, where n is configurable from the console. The session timeout setting is in the general properties of the session management settings.
- For persistent sessions, the administrator can specify times when the scan runs. This feature has the following benefits when used with persistent session:
- Persistent store scans can be scheduled during periods that normally have low demand. This avoids slowing down online applications due to contention in the persistent store.
- When this setting is used with the End of servlet service write frequency option, WebSphere does not have to write the last access time with every HTTP request. The reason is that WebSphere does not have to synchronize the invalidator thread's deletion with the HTTP request access.
You can find the session cleanup schedule setting in the Session management settings under the Custom tuning properties for distributed environments.
If you are going to use session cleanup, be aware of the following:
- HttpSession timeouts are not enforced. Instead, all invalidation processing is handled at the configured invalidation times.
- With listeners, described in 10.9.1, "Session listeners", processing is potentially delayed by this configuration. It is not recommended if listeners are used.