How precise is websphere's session expiration?

Question

We wrote some jquery and java code to support passing a cookie with the expected session expiration time to the client, which then prompts the user two minutes before to give them the chance to extend their session. If they fail to do so in time, they get forwarded on their next button click to a landing page.

Works great...most of the time. Every so often, a tester trying to test this will wait 4 minutes after the prompt comes up, click a button only to find that their session is still alive despite waiting 2 full extra minutes longer than they should have had to for the session to die.

Is the spec just not that precise with when sessions expire? Should we sort of blow this off as not a big deal? we're using ibm's websphere as our app server.

Answer 1

I assume you set the session expiration time to two minutes on the server. That is, not the cookie expiration time.

The session should expired after two minutes. However the session can come back alive (but empty) after expired if application (click button) called getSession(true) instead of getSession(false).

If this isn't the case, can you enable the session trace : com.ibm.ws.session.*=all

Answer 2

WebSphere has a setting called HttpSessionReaperPollInterval that controls this behavior.

Use this property to specify, in seconds, a wake-up interval for the process that removes invalid sessions. The value specified for this property overrides the default installation value, which is between 30 and 360 seconds, and ensures that the reaper process runs at a specific interval.

https://www.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.base.doc/ae/rprs_custom_properties.html

Although the property can be adjusted, it may still not make sense to change the default value in your scenario.