What are some strategies to manage number of sessions and eliminate unneeded sessions in java?

What are some strategies to manage number of sessions and eliminate unneeded sessions?

Or

How do I get to know that session开发者_运维知识库s are no longer needed?

---

The servlet container will normally invalidate and wipe sessions which are timed out. You really don't need to worry about it at all. You can however configure the session timeout in web.xml as follows:

<session-config>
    <session-timeout>30</session-timeout>
</session-config>

The value is in minutes and the default value is 30 minutes. This means that when a client hasn't requested a page associated with the session for that long, then the session will be invalidated.

If you want to restrict the number of simultaneously open sessions, then you'll need to implement a HttpSessionListener and do the increment/decrement on sessionCreated() and sessionDestroyed() respectively. If you want to keep track of the actual HttpSession references as well for some vague reasons, be sure that you store them in a WeakHashMap so that they will automagically be removed whenever it's been invalidated/dereferenced in server's memory, otherwise it will pollute and overflow the server memory.

Once again, you should not worry about maintaining the sessions. Let the web container do its task, there it is designed for.

---

Why do you want to do this yourself? Your web server or container should handle this automatically without your intervention.

---

In most Java web application servers, there is a component that takes care of sessions for you (but you can configure and interact with that component if necessary). In Tomcat, it is the Manager component.

---

If you really need it, you could encourage your users to use a log off function, but in general most people will ignore it.

If you really really need it, you could use the onUnload javascript event to capture the event of when some of your users navigate to another site. Some general information on onUnload and in which scenarios it doesn't work can be found in this question Alternative for JavaScript onUnload . Ugly hacks for excluding links to your own domain http://www.dynamicdrive.com/forums/archive/index.php/t-4947.html.

Again, unless you really really need it, stick with configuring the session handling of the app servers.

---

What are the strategies that I need to use to manage number of sessions and eliminate unneeded sessions?

You don't, the application server does that for you. More precisely, the container keeps HttpSession in memory until the associated user has been inactive for a certain duration, at which point the session timeout occurs. At that time, the session can be garbage collected. That means that the HttpSession objects stay in memory for at least the length of time specified in the default configuration timeout value unless you remove them programmatically. This is usually done by exposing a logout feature where you call the HttpSession#invalidate() method. But there is absolutely no guarantee that user will use it.

How do I get to know that sessions are no longer needed?

How would you know what a user is doing behind his screen? That's why the container handle that for you and you should let him do its job. Just follow some best practices to allow your application to scale without memory problems:

• Minimize the Use of HttpSession (don't put the entire earth it).
• Remove objects from HttpSession if they are no longer used.
• Put long-living data in the database.