users@glassfish.java.net

Re: How are sessions stored? How many can be stored? Potential repercussions?

From: Wolfram Rittmeyer <w.rittmeyer_at_jsptutorial.org>
Date: Thu, 09 Apr 2009 08:13:58 +0200

glassfish_at_javadesktop.org wrote:
> We want to implement a "Remember Me" checkbox on our login form which would set that user's session to not timeout. I figured we can do this with request.getSession().setMaxInactiveInterval(-1);
>
> My question is this: If we're creating 50K sessions a day, and we set them all to never timeout...
> - Where and how are they stored?
> - What problems might we encounter doing this?
> - If they are stored in memory, could memory consumption be a problem? If so, is there a way to configure where they are stored (e.g. store 5000 in memory and the rest on disk, or in a DB)?
> - If they stored on disk, could I/O be a problem?
>

You can set this behaviour in the sun-web.xml file. There you can state
whether to store sessions in memory or on file. You have to create a
session-config element beneath the root element sun-web-app like this:

<sun-web-app>
    <session-config>
       <session-manager persistence-type="file">
       </session-manager>
    </session-config>
</sun-web-app>

There are also some properties to configure this. This is describen in
detail here (for v2.1):
http://docs.sun.com/app/docs/doc/820-4337/beayb?a=view

Nevertheless I think using unlimited sessions is not working well in any
case. I think a better approach would be to set a long living cookie
that contains an encrypted (!) key like user id, basket id or s.th. Now
when this user returns you can restore information from the database.

Anything long-living is normally of interest to your business. You might
want to get reports on e.g. which items users have put in baskets but
tend to keep them there for a long time before checking out. About how
many sessions are how old and what not. All these things are much easier
to do with a database.

Also databases are backed up on a regular basis anyway. With long living
sessions you would have to back up the session directory as well. No
serious issue but it doesn't sound right to me.

And keep in mind that not only long-lived sessions but all sessions are
stored on disk. Depending on the number of sessions (50k total or 50k
long-lived?) this might cause IO issues.

All in all using non-expiring sessions for this use case (I personally
see _no_ use whatsoever for them) tends to make things more complicated
in the long run. 

--
Wolfram Rittmeyer
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.