Hello,
I have a web application deployed in GF v2.1.1 ((v2.1 Patch06)(9.1_02 Patch12)) (build b31g-fcs).
The session is cached in a cookie. There are two ways to invalidate a session:
1. The user, if logged in, can use a logout button.
2. The session is invalidated after a timeout (60 minutes).
The problem is that approximately 25 % of all sessions ever created will never get invalidated. The number of active session grows and grows and grows.
I have double checked that this is true. First, by enabling the monitor in Glassfish. Second, by implementing a SessionCounter by myself. Results are the same. ~ 25% of all sessions created will never get invalidated.
I think there is something wrong with the session timeout. The session timeout must ensure that every session gets invalidated after a defined time. This does not seem to be the case.
Another important note: Before I switched to SGES 2.1.1 I used SJSAS 9.1 where the problem didn´t occur. Every session got invalidated with session timeout.
Is this a bug? Any other hints?
[Message sent by forum member 'zebhed']
http://forums.java.net/jive/thread.jspa?messageID=395605