Re: 9.0.102 sessions

Thu, 10 Apr 2025 02:44:23 -0700 

Hello,
Going through the logs, the session creation was being triggered from our 403 jsp page (they were not following the robots.txt and got themselves banned). 

10 minutes of log entries: (752 403's)


752 (32.71%)    0 (00.00%)    1.5 MiB (04.64%)    403 - Forbidden: 
Server is refusing to respond to it


####


Its been a long time since I looked at this, does adding session false 
on the 403 page directive seem a good solution?



<%@ page language="java" contentType="text/html; charset=UTF-8" 
session="false" %>


I have tested it and it does stop the creation/incrementing.

Cheers Greg

On 09/04/2025 19:29, Christopher Schultz wrote:

Greg,

On 4/9/25 7:22 AM, Greg Huber wrote:

I have noticed that seems I have alot of sessions open, when  looking 
in the application manager.  It was was 800+.  I don't remember 
seeing it this high before.  If I refresh the screen I can see the 
number going up slowly.  I have not made any changes on my app that 
would cause this.


I have reset it 10 minutes ago, and its now at 350.

Does this sound OK?


Maybe?


What happens when you hit the root of your web application? Do you 
have any component that creates a session?


You can probably check easily like this:

$ curl -vv https://yoursite/yourapp/


If the response includes a Set-Cookie: JSESSIONID=... header than 
anybody coming by your application will create a session.



If you use the default 30-minute session inactivity timeout, that 
means any casual passer-by, web crawler, or potential attacker can 
create as many sessions as they want.



You might want to look at using the crawler session manager valve[1]. 
You may also want to reduce the default inactivity timeout for your 
sessions from 30 minutes to something shorter, then raise the timeout 
for each session after authentication. That way, these trivial 
sessions will time out more quickly.


-chris


[1] 
https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Crawler_Session_Manager_Valve



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to