4 Replies Latest reply on Apr 6, 2015 4:28 PM by pferraro

limit number of http sessions

mlybarger Apr 1, 2015 10:08 PM

i'd like to limit the number of http sessions in my application. i thought i could set the following in jboss-web.xml

<jboss-web>   
   <max-active-sessions>1</max-active-sessions>
   <passivation-config>
      <use-session-passivation>false</use-session-passivation>
   </passivation-config>
</jboss-web>

to limit to one http session, but then i hit the app with two instances and both get a session created.

i used a simple jsp to create the session:

<html>
<body>
<h2>Hello World!</h2>
<%=request.getSession().toString()%>
</body>
</html>

and i use jboss cli to verify the session count:

[standalone@localhost:9990 /] /deployment=example.war/subsystem=undertow/:read-resource(include-runtime=
true)
{
    "outcome" => "success",
    "result" => {
        "active-sessions" => 2,
        "context-root" => "/example",
        "server" => "default-server",
        "sessions-created" => 2,
        "virtual-host" => "default-host",
        "servlet" => undefined
    }
}

any ideas or help would be appreciated. currently, i have an application that has manual session tracking and counting. that code seems volatile to me. the servlet has a static variable that gets incremented when sessions are created and decremented when sessions are destroyed. when they're over the max, the servlet handles the response.

thanks!

-mark-

1. Re: limit number of http sessions

mlybarger Apr 1, 2015 11:22 PM (in response to mlybarger)

i've been doing more research. it seems that all <passivation-config> was deprecated (no longer used).

so, i looked to the source code of undertow, and i find the InMemorySessionManager has an option for: exictOldestUnusedSessionOnMax.

if this gets set to false, it rejects the connections per my understanding of lines 132-135 in the code:

https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/server/session/InMemorySessionManager.java

the question remains; how to set this to false...?
Actions
2. Re: limit number of http sessions

pferraro Apr 6, 2015 8:21 AM (in response to mlybarger)

This behavior was changed in this commit[1]. Apart from the misspelling (seems like a cross between evict and expire), I think the default behavior (WildFly does not currently contain a mechanism to override it[2]) should really be false, since this new behavior is counter to the servlet specification which states that sessions should remain active until the configured session-timeout.

Regarding passivation, this was deprecated in WF8, since the value is easily implied by max-active-sessions. If this is non-zero, and your web application is distributable (requiring your session attributes to be serializable), then any sessions in excess of max-active-sessions will passivate.

[1] Make behaviour on hitting max sessions customisable · undertow-io/undertow@4c7915d · GitHub
[2] wildfly/UndertowDeploymentProcessor.java at master · wildfly/wildfly · GitHub
Actions
3. Re: limit number of http sessions

mlybarger Apr 6, 2015 3:32 PM (in response to pferraro)

This is VERY helpful, thanks. However, I don't see where exictOldestUnusedSessionOnMax ever gets set to false. The factory that creates the InMemorySessionManager doesn't seem to allow use of the new constructor.
Actions
4. Re: limit number of http sessions

pferraro Apr 6, 2015 4:28 PM (in response to mlybarger)

This is what I meant by: "WildFly does not currently contain a mechanism to override it[2]". I've opened:
[UNDERTOW-416] InMemorySessionManager.exictOldestUnusedSessionOnMax should default to false - JBoss Issue Tracker
Actions

Go to original post