HTTP session problems


 

+

Search Tips   |   Advanced Search

 

  1. Overview
  2. HTTP Sessions are not getting created, or are lost between requests.
  3. HTTP Sessions are not persistent (session data lost when appserver restarts, or not shared across cluster).
  4. Session is shared across multiple browsers on same client machine.
  5. Session is not getting invalidated immediately after specified session timeout interval.
  6. Unwanted sessions are being created by JSP.
  7. Session data intended for one client is seen by another client.
  8. A ClassCastException error occurs during failover of a session that contains an EJB reference.
  9. Users are not logged out after HTTP session timer expires

 

Overview

To update the session manager...

appserver | Additional properties | Web Container | Session manager

See also:

  1. Review: HTTP session manager troubleshooting tips
  2. Review: Managing HTTP sessions
  3. Check available online support
  4. Contact IBM support

 

HTTP sessions are not getting created, or are lost between requests

By default, the session manager uses cookies to store the session ID on the client between requests. Unless you intend to avoid cookie-based session tracking, ensure that cookies are flowing between WAS and the browser:

 

HTTP Sessions are not persistent

If the HTTP sessions are not persistent, that is session data is lost when the appserver restarts or is not shared across the cluster:

 

Session is shared across multiple browsers on same client machine

This behavior is browser-dependent. It varies between browser vendors, and also may change according to whether a browser is launched as a new process or as a subprocess of an existing browser session (for example by hitting Ctl-N on Windows).

The Cookie maximum age property of the session manager also affects this behavior, if cookies are used as the session-tracking mechanism. If the maximum age is set to some positive value, all browser instances share the cookies, which are persisted to file on the client for the specified maximum age time.

 

Session is not getting invalidated immediately after specified session timeout interval

The SessionManager invalidation process thread runs every x seconds to invalidate any invalid sessions, where x is determined based on the session timeout interval specified in the session manager properties. For the default value of 30 minutes , x is around 300 seconds. In this case, it could take up to 5 minutes (300 seconds) beyond the timeout threshold of 30 minutes for a particular session to become invalidated.

 

Unwanted sessions are being created by JSPs

As required by the JSPs specification, JSP pages by default perform a request.getSession(true), so that a session is created if none exists for the client. To prevent JSP pages from creating a new session, set the session scope to false in the .jsp file using the page directive as follows:

<% @page session="false" %>

 

Session data intended for one client is seen by another client

In rare situations, usually due to application errors, session data intended for one client might be seen by another client. This situation is referred to as session data crossover.

When the DebugSessionCrossover custom property is set to true, code is enabled to detect and log instances of session data crossover. Checks are performed to verify that only the session associated with the request is accessed or referenced. Messages are logged if any discrepancies are detected.

These messages provide a starting point for debugging this problem. This additional checking is only performed when running on the WebSphere-managed dispatch thread, not on any user-created threads.

 

Users are not logged out after the HTTP session timer expires

If users of WAS log onto an application and sit idle longer than the specified HTTP session timeout value, the user information is not invalidated and user credentials stay active until LTPA token timeout occurs.

After you apply PK25740, complete the following steps to log out users from the application after the HTTP session has expired.

  1. In the admin console, click...

    Security | Global security | Custom properties | New

  2. In the Name field, enter...

    com.ibm.ws.security.web.logoutOnHTTPSessionExpire

  3. In the Values field, enter true.

  4. Click Apply and Save to save the changes to the configuration.

  5. Resynchronize and restart the server.

IBM Support has documents and tools that can save you time gathering information needed to resolve problems as described in Troubleshooting help from IBM. Before opening a problem report, see the Support page:





Related concepts Best practices for using HTTP sessions
Sessions

 

Related tasks

Task overview: Managing HTTP sessions

 

Related

HTTP session manager troubleshooting tips