WebLogic: Session Management

Posted on May 24, 2012 by Jianming Li

Contents

  1. Overview
    1. Session Configuration
    2. ExtendedSessionFormat
    3. Session Timeout
    4. Session Cookies
    5. Session Sharing
  2. Session Persistence
    1. Five Implementations
  3. Using URL Rewriting Instead of Cookies
    1. Coding Guidelines for URL Rewriting
  4. Session Logout
    1. Log Out a Single Session
    2. Log Out Multiple Applications such as in SSO
  5. References
 

Overview

* Session is a series of related requests that come from the same client
* Session tracks requests from the same client during a certain period of time
* Session can also be persisted

Session Configuration

* Configured in weblogic.xml
* Configures:
– How many users you expect to hit the servlet (max-in-memory-sessions)
– How long each session lasts, i.e. session timeout (timeout-secs)
– How much data you expect to store for each user
– Heap size allocated to the WebLogic Server instance

ExtendedSessionFormat

 
-Dweblogic.servlet.useExtendedSessionFormat=true

* Retains the information that the load-balancing application needs for session stickiness.
* The extended session ID format will be part of the URL if URL rewriting is activated, and the startup flag is set to true.

Session Timeout

* Can be set in both web.xml and weblogic.xml
* web.xml

  <session-config>
    <session-timeout>120</session-timeout>
  </session-config>

* weblogic.xml

<session-descriptor>
<timeout-secs>2400</timeout-secs>
</session-descriptor>

* If both are set, web.xml take precedence.

Session Cookies

* By default,
– Cookies are used for session management
– When browser quits, cookies are lost and session ends
* Cookie parameters can be set in weblogic.xml, e.g.
cookie-max-age-secs

Session Sharing

* Sessions can be shared among multiple web applications
* All web apps need to be packed in the same ear file
* Enable session sharing in weblogic-application.xml, e.g.

<?xml version="1.0" encoding="ISO-8859-1"?>
 
<weblogic-application xmlns="http://www.bea.com/ns/weblogic/90";;>
   ...
 <session-descriptor>	
     <persistent-store-type>memory</persistent-store-type>
     <sharing-enabled>true</sharing-enabled>
     ...
 </session-descriptor>
...
</weblogic-application>

Session Persistence

Five Implementations

* Memory (single server, non-replicated)

<persistent-store-type>memory</persistent-store-type>

* Cookies

<persistent-store-type>cookie</persistent-store-type>
<persistent-store-cookie-name>WLCOOKIE</persistent-store-cookie-name>

* File system

<persistent-store-type>file</persistent-store-type>
<persistent-store-dir>/opt/sessions</persistent-store-dir>

* JDBC

<persistent-store-type>jdbc</persistent-store-type>
<persistent-store-pool>jdbc/SessionDS</persistent-store-pool>
<cache-size>2048</cache-size>
<persistent-store-table>WL_SERVLET_SESSIONS</persistent-store-table>
<jdbc-column-name-max-inactive-interval>jdbc</jdbc-column-name-max-inactive-interval>
<jdbc-connection-timeout-secs>60</jdbc-connection-timeout-secs>

* In-memory replication (across a cluster)

<persistent-store-type>replicated</persistent-store-type>
or
<persistent-store-type>replicated_if_clustered</persistent-store-type>

Using URL Rewriting Instead of Cookies

* By default, automatically enabled when accept cookie is disabled in client side.
* Can be disabled by setting url-rewriting-enabled to false
* e.g.

<session-descriptor>
<timeout-secs>3600</timeout-secs>
<invalidation-interval-secs>60</invalidation-interval-secs>
<cookie-name>MyCookie</cookie-name>
<cookie-max-age-secs>-1</cookie-max-age-secs>
<url-rewriting-enabled>false</url-rewriting-enabled>
</session-descriptor>

Coding Guidelines for URL Rewriting

* Encode URL before sending to an output stream:

  response.sendRedirect(
    httpResponse.encodeRedirectURL(welcomeURL));

* You can check if cookie is used:

HttpServletRequest.isRequestedSessionIdFromCookie();

* You can check if an HttpSession is new:

HttpSession session = request.getSession(true);
if (session.isNew()) {
  response.sendRedirect(
    httpResponse.encodeRedirectURL(welcomeURL));
}

Session Logout

Log Out a Single Session

 
session.invalidate();

Log Out Multiple Applications such as in SSO

 
// Removes the authentication data from the users’s session data, 
// which logs out a user but allows the session to remain alive.
weblogic.servlet.security.ServletAuthentication.logout();
 
// Invalidates all the sessions and removes the authentication data for the current user. 
// The cookie is also invalidated.
weblogic.servlet.security.ServletAuthentication.invalidateAll();
 
// Invalidates the current cookie by setting the cookie so that it expires immediately when the response is sent to the browser. 
// This method depends on a successful response reaching the user’s browser. The session remains alive until it times out.
weblogic.servlet.security.ServletAuthentication.killCookie();

* For example:

String logout = httpRequest.getParameter(UIConstants.logout);
if (logout != null && logout.equalsIgnoreCase("true")){
    ServletAuthentication.logout(httpRequest);
    ServletAuthentication.invalidateAll(httpRequest);
    ServletAuthentication.killCookie(httpRequest);
    doRedirect(httpResponse, loggedOutPage);
    return;
}

References

* Using Sessions and Session Persistence
* weblogic.xml Deployment Descriptor Elements

This entry was posted in weblogic. Bookmark the permalink.

2 Responses to WebLogic: Session Management

  1. Pingback: DevNote: WebLogic LogOut and Kill Session | Java ??????, ??????? Java

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.