tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: disabling session management
Date Tue, 12 Oct 2010 21:14:02 GMT
Hash: SHA1


On 10/11/2010 8:54 AM, emerson wrote:
> Thousands of Session instances inside the sessioins attribute of the
> org.apache.catalina.session.StandardManager.
> In theory we are not calling getSessions on the middle tier and as you
> mentioned, we have no JSPs either.

Okay, so you have lots of HttpSession objects being created. :(

> However, we might be passing a jsession parameter from the frontend to
> the middle tier. Would that be an issue, causing the session to be
> created in the middle tier?

That shouldn't affect anything: Tomcat will only create an HttpSession
object if the code requests one. The client cannot force the creation of
a session. That would be a pretty big DoS vulnerability.

>>> What is the impact of using session-timeout = 0?
>> Your sessions will never time out, and your problem will likely get worse.
> In the only place I see any reference to it is here:
> And it says that "A negative time indicates the session should never
> timeout.". there is no mention about setting as "0".

I thought I looked that up when I responded, but apparently I didn't.
It's covered in SRV.7.5 of the servlet spec (v2.5) and you're right: -1
means "never time out" while 0 presumably means "expire as soon as

The best way to find out what code is generating the sessions is to
install an HttpSessionListener. I know that I've posted code previously
to this list that will emit a stack trace to the application log when a
session is created. You could look that up or simply write one from
scratch. Hint: it's next to trivial to implement this.

Good luck,
- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message