Basically tomcat comes with 2 Session Managers - StandardManager and PersistentManager. We can further define Store in a PersistentManager as FileStore and JDBCStore.
StandardManager persists sessions by default in `Sessions.ser` file across tomcat shutdown and restart. PersistentManager stores idle Sessions in `<sessionId>.session` file or `database`.
My question is how these Session Manager handles Sessions once they have persisted them in.ser file or in .session file or database and then got expired ?
Will tomcat clean them off regularly ?
1) So, next time when tomcat upload the session from `Sessions.ser`, will it ignore or delete invalid sessions ?
2) For PersistentManager, once tomcat restarts, it will load sessions to memory again with invalid ones also ?
3) For PersistentManager, when will it clear those invalid sessions from `<sessionId>.session` file or `database` ?
I think that's going to depend on what session manager you've got plugged in.
When a session times out or gets invalidated, the jsessionid for that session should have been removed from the session map, and if the session is not being abused, that would render it instantly available for garbage collection if in memory. I would hope that this deletion would also be reflected to the session manager which should then purge the persistent copy.
The real problem is what happens when Tomcat crashes and restarts with orphan sessions, and that's partly controlled, if I recall, by server.xml settings.
So I don't really know, and it has almost certainly evolved over the various releases of Tomcat. So I'd have to check on a per-release basis.
As for myself, I've just used the default manager and whenever I'm testing or otherwise paranoid, I erase everything under TOMCAT_HOME/work, TOMCAT_HOME/temp and TOMCAT_HOME/logs before restarting Tomcat, So that resolves the question for me Gordian-knot style.
Although I think on production servers, I've left the persistent sessions alone and they simply proceeded as though Tomcat had never gone down. Restarted or not, sessions do eventually time out anyway.
Some people, when well-known sources tell them that fire will burn them, don't put their hands in the fire.
Some people, being skeptical, will put their hands in the fire, get burned, and learn not to put their hands in the fire.
And some people, believing that they know better than well-known sources, will claim it's a lie, put their hands in the fire, and continue to scream it's a lie even as their hands burn down to charred stumps.