For my web app, I use tomcat declarative security to tie login credentials to the company Active Directory. On two of our servers, logins were timing out after one minute of inactivity. On the other two servers, there is a thirty minute timeout (which is what I want).
Yeseterday, I found the cause of the problem. The two servers with one minute timeouts have a tomcat Persistence Manager enabled to write session information to disk. Our IT guy is out this week, so I don’t know the exact details of what he was trying to accomplish with this, but he had set PersistenceManager up like this in context.xml:
<Manager sessionIdLength="64" className="org.apache.catalina.session.PersistentManager" maxIdleBackup="10" maxIdleSwap="30"> <Store className="org.apache.catalina.session.JDBCStore" dataSourceName="jdbc/Auth" sessionTable="sessions" sessionAppCol="app_name" sessionDataCol="session_data" sessionIdCol="session_id" sessionLastAccessedCol="last_access" sessionMaxInactiveCol="max_inactive" sessionValidCol="valid_session" /> </Manager>
I did some research and discovered that the Idle numbers are in seconds. Thinking that might be the culprit I changed the Manager portion to:
<Manager sessionIdLength="16" className="org.apache.catalina.session.PersistentManager" maxIdleBackup="600" maxIdleSwap="3600" minIdleSwap="1800">
This fixed my problem. So it appears that forcing the Persistence Manager to write sessions out to disk after thirty seconds of inactivity was killing my session logins. I tracked the JSESSIONID cookie and found that the cookie remained the same even after the user is forced back to the login screen. It only changes when you re-login. This is what you would expect, because persisting the session to disk couldn’t possibly change the session id. However, it does cause my declarative security model to force the user to log in again.
I did find in the manual that the maxIdleSwap variable not only controls persisting sessions to disk, but also causes the “passivating of the session out of server memory”. This sounds a bit suspicious to me.
Does anyone have any experience with this issue? Why does the Persistence Manager kill my web app logins when it persists sessions to disk? Is there any way around this without changing the swap control variables like I did?