Disable Tomcat Sessions for REST

Posted by pedrorodriguez on 05-May-2017 10:38

Hi,

Is it possible to disable the creation of tomcat sessions when using it only as a completely stateless server for REST calls?

The goal of those rest services is to provide a replication system, so all session information is irrelevant, but even with 1 minute timeout lots of sessions get created causing issues in the tomcat server.

One option I have considered is to implement a custom filter that invalidates the session after processed the response, without much luck so far, would that be an approach that could work or is there something in the servlets that provide the rest service that will make it impossible?

Any other ideas or is there something fundamentally wrong that we are doing?

Cheers,

Posted by pedrorodriguez on 09-May-2017 17:08

Hi,

Thanks for your reply, unfortunately that didn't work, in fact setting session-timeout to zero makes it never to expire.

The solution that finally worked was to develop a simple Java servlet filter to delete the session created, if that filter is applied last in the web.xml succeeds to keep tomcat without http sessions created.

Cheers,

All Replies

Posted by Michael Jacobs on 07-May-2017 06:00


There is a problem in the REST adapter ( & PASOE's REST transport ) where unwanted HTTP sessions are being created, which triggers a session cookie to be returned to the client.   If the client sends the cookie in a request, it is ignored.   But it is still being handled.   The OE guys are working on it.

There are two things you can try to clean up the message exchange:
  1. In the web.xml file locate the cookie configuration, uncomment it with

    <session-config>

        <tracking-mode>URL</tracking-mode>

        <session-timeout>0</session-timeout>

    </session-config>


The URL tracking mode and 0 session timeout may block session cookies

2. In the oeablSecurity-xxxx-yyyy.xml Spring Security configuration

Ensure the <http> element's 'create-session' attribute value is "stateless"

See if that helps.

Mike Jacobs

Posted by pedrorodriguez on 09-May-2017 17:08

Hi,

Thanks for your reply, unfortunately that didn't work, in fact setting session-timeout to zero makes it never to expire.

The solution that finally worked was to develop a simple Java servlet filter to delete the session created, if that filter is applied last in the web.xml succeeds to keep tomcat without http sessions created.

Cheers,

Posted by Donicello Lampe on 10-May-2017 02:58
This thread is closed