HTTP session invalidation
HTTP sessions are invalidated by either...
- Calling the invalidate method on the session object
- Specifying a specific time interval using the MaxInactiveInterval property
Sessions invalidated explicitly by application code are invalidated immediately. Sessions not invalidated by application code are invalidated by the session manager, regardless of session persistence configuration.
We can specify whether the session is invalidated immediately or after a specified time interval. For immediate invalidation the application should call the invalidate method. To invalidate a session at a specific time, we can set the ReaperInterval Web container custom property in seconds to specify the frequency of the invalidation thread.
For example, for a maximum inactive interval less than 15 minutes, the ReaperInterval value is approximately 60 to 90 seconds. For a maximum inactive interval greater than 15 minutes, the ReaperInterval value is approximately 300 to 360 seconds.
A session is invalidated when the MaxInactiveInterval is exceeded and the ReaperInterval passes. After a session is eligible for invalidation, the invalidation thread must run for the session to be invalidated. Therefore, a session might not be invalidated for the sum of the MaxInactiveInterval and ReaperInterval value in seconds.
A session that has exceeded the MaxInactiveInterval but is not yet removed by the invalidation thread is still available for use. If that session is requested then it is returned to the client.
Related concepts
Sessions
Session management support
Scheduled invalidation
Task overview: Managing HTTP sessions
Session management custom properties