Tim Holloway wrote:J2EE sessions work like this:
But if I open 3 Edge windows, they'll all be using the same cookie pool, so all of the windows will be talking to the same session. If one window logs off, the sessionid is now invalid for all 3 windows.
Tim Moores wrote:By "instance" I assume you mean "browser window connected to the same web app". It sounds as if you're talking about sessions being invalidated. Why do you need separate session for the same user?
Bear Bibeault wrote:Why the response wrapper? Just use a straight-forward servlet filter.
Tim Holloway wrote:First you need to find out why all those sessions are alive at the same time. Do you have actually that many online users? If so, they may be legitimate and the only real choices are A) IBM (Install Bigger Memory), B) reduce the amount of session data being used by the offending application(s), C) Change the apps to minimize their use of an HttpSession environment (if you're using container security, that basically means making pages that don't really need the user to be logged in be unsecured - or Just In Time Login, if you prefer. D) Run a cluster. E) Convert to ReST (which is item B carried to its logical conclusion).
And F) Are these active users, or should you shorten the session timeout to drop people who left the site without logging off?
You might want to add Session Listeners to log the start and stop times (and thus durations) of the sessions, and at destroy time, look at how many/how big the collection of session-scope variables hanging onto it is.
Paul Clapham wrote:
Steve Dyke wrote:Thanks I have been trying to rethink this whole thing.
The first thing to think about is, why would you want to know which sessions are active? There must be a purpose for which you want to use that information. Then, maybe that purpose can be fulfilled in a different way.
Dave Tolls wrote:
If there is a security manager???
Stephan van Hulst wrote:You need to give some more information. What are you trying to achieve? What code are you using to try to achieve it? What input are you using? What output are you getting?
Stephan van Hulst wrote:Seeing as you're going to operate on the InetAddress object, you don't even have to convert to the byte format. Just use InetAddress.getByName() and you're done.