Maximum in-memory session count
The maximum in-memory session count number has different meanings, depending on session support configuration:
- When sessions are being stored in memory, session access is optimized for up to this number of sessions. This value also specifies the number of sessions in the base session table.
- When sessions are being stored in a database or in another instance, it also specifies the cache size and the number of last access time updates that are saved in manual update mode.
For persistent sessions, when the session cache has reached its maximum size and a new session is requested, Session Manager removes the least recently used session from the cache to make room for the new one.
General memory requirements for the hardware system, and the usage characteristics of the e-business site, determines the optimum value.
Overflow in non-persistent sessions
By default, the number of sessions maintained in memory is specified by the maximum in-memory session count. If you do not wish to place a limit on the number of sessions maintained in memory and allow overflow, select Allow overflow.
Allowing an unlimited amount of sessions can potentially exhaust system memory and even allow for system sabotage. Someone could write a malicious program that continually hits your site and creates sessions, but ignores any cookies or encoded URLs and never utilizes the same session from one HTTP request to the next.
When overflow is disallowed, the Session Manager still returns a session with the HttpServletRequest's getSession(true) method if the memory limit has currently been reached, but it would be an invalid session that is not saved.
With the WAS extension to HttpSession, com.ibm.websphere.servlet.session.IBMSession, an isOverflow() method returns true if the session is an invalid session. An application could check this and react accordingly.