Session management settings

Session management settings

Manage HTTP sessions. Support includes specifying a session tracking mechanism, setting maximum in-memory session count, controlling overflow, and configuring session timeout. To view at the web container level...
Servers > Server Types > WebSphere application servers > server > Session management

We can override the session management settings at the application level.

Session tracking mechanism

Mechanism Function Default
Enable cookies Session tracking uses cookies to carry session IDs. If not enabled, session tracking uses URL rewriting instead. Enabling cookies takes precedence over URL rewriting. Application level session management settings override the server level session management settings. Because session management is defined at the application level, enabling cookies for the administration console is handled in the deployment.xml file. Cookie names in the web.xml file override application level and server level session management settings. Further, cookie names from a ServletContextListener object override all settings. HTTPOnly is set true by default. true (selected)
Enable URL rewriting The session management facility uses rewritten URLs to carry the session IDs. If URL rewriting is enabled, the session management facility recognizes session IDs that arrive in the URL if the encodeURL method is called in the servlet. false (cleared)
Enable protocol switch rewriting Available when Enable URL rewriting is selected. The session ID is added to a URL when the URL requires a switch from HTTP to HTTPS or from HTTPS to HTTP. If rewriting is enabled, the session ID is required to go between HTTP and HTTPS. false (cleared)
Enable SSL ID tracking Session tracking using the SSL ID is deprecated in WAS v7.0. Session tracking uses SSL information as a session ID. Enabling SSL tracking takes precedence over cookie-based session tracking and URL rewriting. There are two parameters available if we enable SSL ID tracking: SSLV3Timeout and SAS. SSLV3Timeout specifies the time interval after which SSL sessions are renegotiated. This parameter is a high setting and modification does not provide any significant impact on performance. The SAS parameter establishes an SSL connection only if it goes out of the JVM to another JVM. If all the beans are co-located within the same JVM, the SSL used by SAS does not hinder performance. These parameters are set by editing the sas.server.properties and sas.client.props files, located in the product_installation_root/properties directory, where product_installation_root is the directory where WebSphere Application Server is installed. SAS is supported only between v6.0.x and previous version servers that have been federated in a v6.1 cell. false (cleared)

Maximum in-memory session count

Maximum number of sessions to maintain in memory for each web module.

The meaning differs depending on whether we are using in-memory or distributed sessions. For in-memory sessions, this value specifies the number of sessions in the base session table for a web module. Use the Allow overflow property to specify whether to limit sessions to this number for the entire session management facility or to allow additional sessions to be stored in secondary tables. For distributed sessions, this value specifies the size of the memory cache for sessions of each web module. When the session cache has reached its maximum size and a new session is requested, the session management facility removes the least recently used session from the cache to make room for the new one.
Do not set this value to a number less than the maximum thread pool size for the server.

Allow overflow

That the number of sessions in memory can exceed the value specified by the Max in-memory session count property. This option is valid only in non-distributed sessions mode.

Session timeout

Specifies how long a session can go unused before it is no longer valid. Specify either Set timeout or No timeout. Specify the value in minutes greater than or equal to two.

The value specified in a web module deployment descriptor file takes precedence over the administrative console settings. However, the value of this setting is used as a default when the session timeout is not specified in a web module deployment descriptor. To preserve performance, the invalidation timer is not accurate to the second. When the write frequency is time-based, ensure that this value is least twice as large as the write interval.

Security integration

That when security integration is enabled, the session management facility associates the identity of users with their HTTP sessions. Session security (security integration) is enabled by default.

Serialize session access

That concurrent session access in a given server is not permitted.

Mechanism Function
Maximum wait time Maximum amount of time a servlet request waits on an HTTP session before starting. Optional and expressed in seconds. The default is five seconds. Under normal conditions, a servlet request waits for access to an HTTP session and is notified by the request that currently owns the given HTTP session when the request finishes.
Allow access on timeout Specifies whether the servlet starts normally or stops processing from a timeout. The servlet starts normally when this box is checked. If this box is not checked, the servlet stops processing and error logs are generated.

Configure session tracking
Configure session management by level
Session management custom properties

Mechanism	Function	Default
Enable cookies	Session tracking uses cookies to carry session IDs. If not enabled, session tracking uses URL rewriting instead. Enabling cookies takes precedence over URL rewriting. Application level session management settings override the server level session management settings. Because session management is defined at the application level, enabling cookies for the administration console is handled in the deployment.xml file. Cookie names in the web.xml file override application level and server level session management settings. Further, cookie names from a ServletContextListener object override all settings. HTTPOnly is set true by default.	true (selected)
Enable URL rewriting	The session management facility uses rewritten URLs to carry the session IDs. If URL rewriting is enabled, the session management facility recognizes session IDs that arrive in the URL if the encodeURL method is called in the servlet.	false (cleared)
Enable protocol switch rewriting	Available when Enable URL rewriting is selected. The session ID is added to a URL when the URL requires a switch from HTTP to HTTPS or from HTTPS to HTTP. If rewriting is enabled, the session ID is required to go between HTTP and HTTPS.	false (cleared)
Enable SSL ID tracking	Session tracking using the SSL ID is deprecated in WAS v7.0. Session tracking uses SSL information as a session ID. Enabling SSL tracking takes precedence over cookie-based session tracking and URL rewriting. There are two parameters available if we enable SSL ID tracking: SSLV3Timeout and SAS. SSLV3Timeout specifies the time interval after which SSL sessions are renegotiated. This parameter is a high setting and modification does not provide any significant impact on performance. The SAS parameter establishes an SSL connection only if it goes out of the JVM to another JVM. If all the beans are co-located within the same JVM, the SSL used by SAS does not hinder performance. These parameters are set by editing the sas.server.properties and sas.client.props files, located in the product_installation_root/properties directory, where product_installation_root is the directory where WebSphere Application Server is installed. SAS is supported only between v6.0.x and previous version servers that have been federated in a v6.1 cell.	false (cleared)

Mechanism	Function
Maximum wait time	Maximum amount of time a servlet request waits on an HTTP session before starting. Optional and expressed in seconds. The default is five seconds. Under normal conditions, a servlet request waits for access to an HTTP session and is notified by the request that currently owns the given HTTP session when the request finishes.
Allow access on timeout	Specifies whether the servlet starts normally or stops processing from a timeout. The servlet starts normally when this box is checked. If this box is not checked, the servlet stops processing and error logs are generated.