Session management custom properties
Overview
We can specify additional settings for session management through setting custom properties. Session management properties, like the session management configuration, can be configured at the server, application, or Web module level.
To set custom properties for session management at the server level, from the admin console...
Servers | Server Types | WebSphere application servers | server_name | Session management | Additional Properties | Custom Properties | Custom Properties | NewRestart the server after saving your change.
Custom properties
- CloneSeparatorChange
- Maintain session affinity. The clone ID of the server is appended to session identifier separated by colon. On some Wireless Application Protocol (WAP) devices, a colon is not allowed. Set true to change clone separator to a plus sign (+).
- HttpSessionCloneId
- Change the clone ID of the cluster member. Within a cluster, this name must be unique to maintain session affinity. When set, this name overwrites the default name generated by WAS.
Default clone ID length: 8 or 9
- HttpSessionIdLength
- Configure the session identifier length. Do not use an extremely low value; using a low value results in reduced number of combinations possible, thereby increasing risk of guessing the session identifier. In a cluster, all cluster members should be configured with same ID length. Allowed range: 8 to 128. Default length: 23.
- HttpSessionReaperPollInterval
- Wake-up interval for the process that removes invalid sessions. Default is between 30 and 360 seconds...
- If the maximum inactive interval is less than 2 minutes, the reaper poll interval may be as short as 30 seconds.
- If the maximum inactive interval is more than 15 minutes, the reaper poll interval can be as long as 360 seconds.
Because the default timeout and maximum inactive interval is 30 minutes, the reaper interval is usually between 5 and 6 minutes. Set this property to verify the reaper process runs at a specific interval.
Use this property when you want the installation timed out sessions invalidated more frequently than 5 to 6 minutes. For example, setting HttpSessionReaperPollInterval=120 ensures that sessions are invalidated within 2 minutes of timing out. The minimum value for this property is 30 seconds. If a value less than the minimum is entered, the specified property is ignored and an appropriate value is automatically determined and used.
The maximum inactive interval is the session timeout. The default is based on maximum inactive interval set in session management.
Data type Integer Units Seconds
- NoAdditionalSessionInfo
Set true to force removal of information not needed in session identifiers.
- NoAffinitySwitchBack
Set true to maintain affinity to the new member even after original one comes back up. When a cluster member fails, its requests routed to a different cluster member, and sessions are activated in that other member. Thus, session affinity is maintained to the new member, and when failed cluster member comes back up, the requests for sessions that were created in the original cluster member are routed back to it. Allowed values, true or false. Default: false.
Set true when we have distributed sessions configured with time-based write. Note that this property has no affect on the behavior when distributed sessions is not enabled.
- SessionIdentifierMaxLength
Maximum length that a session identifier can grow.
In a cluster, because of fail-over when a request goes to new cluster member, session management appends a new clone ID to the existing clone ID. In a large cluster, if for some reason servers are failing more often, then it is possible that the session identifier length can be more than expected reducing room for URL. This property helps to find out the condition and take appropriate action to address servers fail-over. When this is specified, message is logged when specified maximum length is reached. Allowed value: integer.
- SessionRewriteIdentifier
- Change the key used with URL rewriting. Default key: jsessionid.
- Servlet21SessionCompatibility
Set true to enable global session behavior. In Servlet 2.2 and later, sessions are scoped at the Web module level. The default is false.
Deprecated. The IBMApplicationSession method replaces the function of the Servlet21SessionCompatibility custom property.
- SessionTableName
- Set the database table name. Allowed value: String. The default value is SESSIONS.
Some applications may rely on method...
ejbCreate(...)...to have created the entity bean in the database. For such a requirement, setting the JVM property...
com.ibm.websphere.ejbcontainer.allowEarlyInsert...to true overrides the default behavior.
- UseInvalidatedId
Set true to reuse the incoming ID if the session with that ID was recently invalidated. This is a performance optimization because it prevents checking the persistent store. The default value is true.
- UseOracleBLOB
- Create the HTTP session database table using the Binary Large Object (BLOB) data type for the medium column.
Increases performance of persistent sessions when Oracle databases are used. Due to an Oracle restriction, BLOB support requires use of the Oracle's oci database driver for more than 4000 bytes of data. You must also ensure that a new sessions table is created before the server is restarted by dropping the old sessions table or by changing the datasource definition to reference a database that does not contain a sessions table.
To create a sessions table using the BLOB data type, use the following name-value pair:
Name Value UseOracleBLOB true
- DebugSessionCrossover
- Enable code to perform additional checks to verify that only the session associated with the request is accessed or referenced. Messages are logged if any discrepancies are detected.
To enable session data crossover detection, use the following name-vaule pair:
Name Value DebugSessionCrossover true
See article, HTTP session problems, for additional information.
- HttpSessionIdReuse
- Determine whether the session manager can use the session ID sent from a browser to preserve session data across Web apps running in an environment not configured for session persistence.
In a multi-JVM environment not configured for session persistence setting this property to true enables the session manager to use the same session information for all of a user's requests even if the Web apps that are handling these requests are governed by different JVMs. The default value for this property is false.
To enable the session manager to use the session ID sent from a browser to preserve session data across Web apps that are running in an environment not configured for session persistence, use the following name-value pair:
Name Value HttpSessionIdReuse true
- OptimizeCacheIdIncrements
- Assess whether the in-memory session is older than the copy in persistent store. Setting true resolves the continually increasing cache ID.
If HTTP session management is configured to use session persistence and the user's browser session is moving back and forth across multiple Web apps we might see extra persistent store activity as the in-memory sessions are refreshed from the persistent store. As a result, the cache IDs are continually increasing and the in-memory session attributes are overwritten by those of the persistent copy. To prevent the cache IDs from continually increasing, use the following name-value pair:
Name Value OptimizeCacheIdIncrements true
If the configuration is a cluster, verify the system times of each cluster member is identical as possible.
- AlwaysEncodeURL
- The Servlet 2.5 spec specifies to not encode the URL on a response.encodeURL call if it is not necessary. To support backward compatibility when URL encoding is enabled, set the AlwaysEncodeURL custom property to true to call the encodeURL method. The URL is always encoded, even if the browser supports cookies. Use the following name-value pair to encode all URLs:
Name Value AlwaysEncodeURL true
- UsingApplicationSessionsAndInvalidateAll
- When the invalidateAllSet method is called, not all IBMApplicationSessions objects are checked. If using both the IBMApplicationSessions object and the invalidateAll call, use the following name-value pair:
Name Value UsingApplicationSessionsAndInvalidateAll true
- ForceSessionInvalidationMultiple
- Whether the session manager should wait indefinitely for a request to complete before attempting to invalidate the session, or should attempt to invalidate a session after the specified time limit has elapsed. The default value for this property is 1.
- If we specify 0 (zero) for this custom property, the session manager waits indefinitely until a request is complete before attempting to invalidate the session.
If the requests normally are not bound by a response time limit, pecify 0 for this property.
- If we specify a positive integer, such as 1, 2, or 3, for this custom property, even if a session is not known to have completed, the session manager attempts to invalidate the session, if the indicated time period since the last access occurred has elapsed. This time period is the result of multiplying the value specified for this property and the value specified for the Session Timeout property. For example, if we specify 2 minutes for the Session Timeout property and 2 for the ForceSessionInvalidationMultiple property, the session manager attempts to invalidate the session after 4 minutes.
To invalidate the sessions after a certain amount of time has elapsed, specify the appropriate positive integer for this property.
Name Value ForceSessionInvalidationMultiple 1
Related tasks
Set session management by level
Set session tracking