Recipe 2.2: Removing HttpSession objects automatically
Configuring large session timeout value results in HttpSession objects occupying memory longer than necessary.
The Servlet container keeps track of all HttpSession objects and determines whether a user is active or not by comparing the time of the user's last access of the application with the session timeout value. With the default session timeout, if a user is inactive for more than 30 minutes it will un-reference the associated HttpSession object and allow the garbage collector to remove it from the memory. This automatic removal process ensures that there are no memory leaks, but the down side is that the programmer can increase session timeout value without knowing its effect on performance. If your application requirement states that users session can exceed 30 minutes, it would make sense to increase the session timeout value but do not increase this value by mere assumption. The larger the session timeout value, the longer HttpSession objects stay in memory.
Lets see the effect of increasing the session timeout value by looking again at the two applications we introduced in the previous example: Application-A and Application-B. With a 30 minutes session timeout value, Application A gets one hundred thousand users with an average session size of 10KB and Application B gets two hundred thousand users with an average session size of 10KB, they occupy the memory as shown in Figure 4.3.
Now, if you configure the session timeout value as 60 minutes, the memory that is occupied by HttpSession objects will double as shown in Figure 4.4 because if Application-A gets an average of hundred thousand users per in 30 minutes, then in 60 minutes there will be an average of two hundred thousand users. Similarly, Application-B gets four hundred thousand users in 60 minutes.
Figure 4.4 shows the memory usage has doubled when compared to Figure 4.3 if the session timeout value is configured as 60 minutes and HttpSession objects are not removed programmatically.
So how can we reduce this memory overhead of HttpSession objects due to configuration of large session timeout value?
Do not increase the session timeout value unless it is absolutely necessary.
It is best if you can leave the default session timeout value at 30 minutes,
or even set it lower if your application permits.
But make sure that you do not configure the timeout value to a minimum,
which will result in unhappy users because HttpSession objects will be removed
automatically by the container after timeout value and users will lose the data
before their transactions are completed. If your application permits,
you may decide that the optimal timeout value is 20 - 25 minutes,
which will remove HttpSession objects sooner than later.
Listing 4.3 is a small snippet from web.xml file that shows how to configure session timeout value.
4.3 part of web.xml file
Configureing session timeout value as 25 minutes>
You can also set the session timeout value using HttpSession.setMaxInactiveInterval() method in your Servlet or JSP, however it is important to understand that this will only set the timeout value for the current session. The following code snippet shows how to use this method in a JSP and a Servlet. You need to pass time in seconds for this method. Note that passing -1 as session timeout value in either web.xml or in this method indicates to the container that the session should never timeout.
In JSP: session.setMaxInactiveInterval(25*60);
In Servlet: HttpSession
session = request.getSession(true); |#2
25 minutes session timeout vallue in JSP>
25 minutes session timeout vallue in Servlet>
As described above, you can set session timeout value either in standard web.xml file or in your Servlet/JSP. In addition to these options, your application server may support configuring session timeout value in its admin console. Consult your application server documentation for more information. Configuring session timeout value in web.xml is the best way of doing it because it is flexible, portable and maintainable.
You should consider other recipes in this chapter to inactivate sessions
when the user logs out - as a primary solution to avoid unnecessary
memory consumption by HttpSession objects and consider this recipe as
a secondary solution where you can set the timeout value so that the
Servlet container removes inactive HttpSession objects automatically
after a shorter period of time than that specified by the default session