tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: set tomcat max session allow
Date Tue, 13 Jan 2009 21:27:26 GMT
Hash: SHA1


Caldarale, Charles R wrote:
> I don't believe there's any configuration mechanism for this
> capability.  You can implement an HttpSessionListener in conjunction
> with a fairly simple filter or valve for the webapps of interest to
> limit the number of sessions per webapp.  See section 10 of the
> Servlet spec for details about event listeners: 
> The listener cannot stop a session from being created; it would
> simply maintain a count of active sessions for the webapp.  The
> filter or valve should be the first item in the request processing
> chain, and it would have the responsibility of checking the count
> maintained by the listener and deciding whether to proceed with the
> request or forward/redirect to an error page.

If you coupled an HttpSessionListener with a wrapper around the
HttpServletRequest that checks with the session listener, you could veto
the creation of sessions (which might actually be "safer" in this case,
since you avoid creating lots of sessions that are never used because
you forward the user to an error page).

It would work something like this:

- - Keeps an accurate count of active sessions

- - Overrides getSession and getSession(boolean) to consult
  the HttpSessionListener's active session count;
  throws an exception if the count exceeds some configurable limit

Communication between these two object is left as an exercise for the
reader ;)

- -chris

Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message