Greg,
On 4/9/25 7:22 AM, Greg Huber wrote:
I have noticed that seems I have alot of sessions open, when looking in
the application manager. It was was 800+. I don't remember seeing it
this high before. If I refresh the screen I can see the number going up
slowly. I have not made any changes on my app that would cause this.
I have reset it 10 minutes ago, and its now at 350.
Does this sound OK?
Maybe?
What happens when you hit the root of your web application? Do you have
any component that creates a session?
You can probably check easily like this:
$ curl -vv https://yoursite/yourapp/
If the response includes a Set-Cookie: JSESSIONID=... header than
anybody coming by your application will create a session.
If you use the default 30-minute session inactivity timeout, that means
any casual passer-by, web crawler, or potential attacker can create as
many sessions as they want.
You might want to look at using the crawler session manager valve[1].
You may also want to reduce the default inactivity timeout for your
sessions from 30 minutes to something shorter, then raise the timeout
for each session after authentication. That way, these trivial sessions
will time out more quickly.
-chris
[1]
https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Crawler_Session_Manager_Valve
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
