I have problem with session management. Currently G stores all sessions in
memory, so after memory is exhausted, G crashes.
Its very easy to DOS Geronimo server that way (just run ab benchmark tool
from apache) and it takes just a few minutes. Also lot of bots don't bother
with sending session cookie back - they are eating valuable server memory if
session handling is enabled for JSP page.
I propose to change tomcat session manager to manager with swap to disk
feaure. its called org.apache.catalina.session.PersistentManager and it
should be used by default and configured via portlet. Other applications
servers, like WAS, can limit number of open sessions and thus increasing