Re: 9.0.102 sessions

Wed, 09 Apr 2025 11:47:35 -0700 

Thanks for the curl check.

This is what I get from the default page (from the server)

curl -vv http://www.myapp.co.uk/

*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to www.myapp.co.uk (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> Host: www.myapp.co.uk
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 302 302
< Date: Wed, 09 Apr 2025 18:30:24 GMT
< Server: Apache
< Location: /main/
< Content-Length: 0
< Content-Type: text/html;charset=UTF-8
<
* Connection #0 to host www.myapp.co.uk left intact
I can use this now to narrow down which pages from the logs are creating the sessions. 

I will also look at your suggestions on the valve and session time out.

Many thanks.

On 09/04/2025 19:29, Christopher Schultz wrote:

Greg,

On 4/9/25 7:22 AM, Greg Huber wrote:
I have noticed that seems I have alot of sessions open, when  looking in the application manager.  It was was 800+.  I don't remember seeing it this high before.  If I refresh the screen I can see the number going up slowly.  I have not made any changes on my app that would cause this. 

I have reset it 10 minutes ago, and its now at 350.

Does this sound OK?


Maybe?
What happens when you hit the root of your web application? Do you have any component that creates a session? 

You can probably check easily like this:

$ curl -vv https://yoursite/yourapp/
If the response includes a Set-Cookie: JSESSIONID=... header than anybody coming by your application will create a session.
If you use the default 30-minute session inactivity timeout, that means any casual passer-by, web crawler, or potential attacker can create as many sessions as they want.
You might want to look at using the crawler session manager valve[1]. You may also want to reduce the default inactivity timeout for your sessions from 30 minutes to something shorter, then raise the timeout for each session after authentication. That way, these trivial sessions will time out more quickly. 

-chris
[1] https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Crawler_Session_Manager_Valve 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to