HTTP Session (httpSession)
Configuration for HTTP session management.
Name | Type | Default | Description |
---|---|---|---|
allowOverflow | boolean | true | Allows the number of sessions in memory to exceed the value of the Max in-memory session count property. |
maxInMemorySessionCount | int | 1000 | Maximum number of sessions to maintain in memory for each web module. |
Advanced | |||
accessOnTimeout | boolean | true | This property gives the servlet access to the session, which allows normal execution even if the session is still locked by another servlet. Set this property to false to stop the servlet execution when the session requests a timeout. The default value is true. |
allowSerializedAccess | boolean | false | Enable this option to allow serialized access to session data. |
debugCrossover | boolean | false | Enable this option to perform additional checks to verify that only the session associated with the request is accessed or referenced, and log messages if any discrepancies are detected. Disable this option to skip the additional checks. |
idLength | int | 23 | Length of the session identifier. |
idReuse | boolean | false | In a multi-JVM environment that is not configured for session persistence, setting this property to "true" enables the session manager to use the same session information for all of a user's requests even if the web applications that are handling these requests are governed by different JVMs. The default value for this property is false. Set this property to true if you want to enable the session manager to use the session identifier sent from a browser to preserve session data across web applications that are running in an environment that is not configured for session persistence. |
maxWaitTime | int | 0 | The amount of time, in seconds, a servlet waits on a session before it continues execution. |
modifyActiveCountOnInvalidatedSession | boolean | true | Httpsession activeCount metric might become inaccurate when the session is accessed by multiple applications. Set the property to "false" to resolve the issue. |
noAdditionalInfo | boolean | false | Forces removal of information that is not needed in session identifiers. |
Cookies | |||
cookieDomain | string | Domain field of a session tracking cookie. | |
cookieHttpOnly | boolean | true | Specifies that session cookies include the HttpOnly field. Browsers that support the HttpOnly field do not enable cookies to be accessed by client-side scripts. Using the HttpOnly field will help prevent cross-site scripting attacks. |
cookieMaxAge | A period of time with second precision | -1 | Maximum amount of time that a cookie can reside on the client browser. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds. |
cookieName | string | JSESSIONID | A unique name for a session management cookie. |
cookiePartitioned |
| defer | Specifies that session cookies include the Partitioned attribute. The Partitioned attribute only applies when the SameSite attribute is set to none, and is only used by browsers that support cookie partitioning. The default value is Defer. |
cookiePath | string | / | A cookie is sent to the URL designated in the path. |
cookieSameSite |
| Disabled | Specifies a SameSite attribute value to use for session cookies. |
cookieSecure | boolean | false | Specifies that the session cookies include the secure field. |
useContextRootAsCookiePath | boolean | false | Specifies that the cookie path equals the context root of the web module instead of / |
Failover | |||
cloneId | string | The clone identifier of the cluster member. Within a cluster, this identifier must be unique to maintain session affinity. When set, this name overwrites the default name generated by the server. | |
cloneSeparator | string | : | The single character used to separate the session identifier from the clone identifier in session cookies. The default value should usually be used. On some Wireless Application Protocol (WAP) devices, a colon (:) is not allowed, so a plus sign (+) should be used instead. Different values should rarely be used. You should understand the clone character requirements of other products running on your system before using this property to change the clone separator character. The fact that any character can be specified as the value for this property does not imply that the character you specify will function correctly. This fact also does not imply that IBM is responsible for fixing any problem that might arise from using an alternative character. |
Invalidation | |||
forceInvalidationMultiple | int | 3 | If your requests normally are not bound by a response time limit, specify 0 to indicate that the session manager should wait indefinitely until a request is complete before attempting to invalidate the session. Otherwise, set this property to a positive integer to delay the invalidation of active sessions. Active timed out sessions will not be invalidated by the first invalidation interval pass, but will be invalidated by the interval pass based on this value. For example, a value of 2 would invalidate an active session on the second invalidation interval pass after the session timeout has expired. |
invalidationTimeout | A period of time with second precision | 30m | Amount of time a session can go unused before it is no longer valid, in seconds if unit of time isn't specified. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds. |
reaperPollInterval | A period of time with second precision | -1 | The wake-up interval, in seconds, for the process that removes invalid sessions. The minimum value is 30 seconds. If a value less than the minimum is entered, an appropriate value is automatically determined and used. This value overrides the default installation value, which is between 30 and 360 seconds, based off the session timeout value. Because the default session timeout is 30 minutes, the reaper interval is usually between 2 and 3 minutes. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds. |
Security | |||
invalidateOnUnauthorizedSessionRequestException | boolean | false | Set this property to true if, in response to an unauthorized request, you want the session manager to invalidate a session instead of issuing an UnauthorizedSessionRequestException. When a session is invalidated, the requester can create a new session, but does not have access to any of the previously saved session data. This allows a single user to continue processing requests to other applications after a logout while still protecting session data. |
securityIntegrationEnabled | boolean | true | Enables security integration, which causes the session management facility to associate the identity of users with their HTTP sessions. |
securityUserIgnoreCase | boolean | false | Indicates that the session security identity and the client security identity should be considered a match even if their cases are different. For example, when this property is set to true, the session security identity USER1 matches the client security identities User1 and user1. |
Session Tracking Mechanism | |||
cookiesEnabled | boolean | true | Specifies that session tracking uses cookies to carry session identifiers. |
sslTrackingEnabled | boolean | false | Specifies that session tracking uses Secure Sockets Layer (SSL) information as a session identifier. |
urlRewritingEnabled | boolean | false | Specifies that the session management facility uses rewritten URLs to carry the session identifiers. |
URL Rewriting | |||
alwaysEncodeUrl | boolean | false | The Servlet 2.5 specification specifies to not encode the URL on a response.encodeURL call if it is not necessary. To support backward compatibility when URL encoding is enabled, set this property to true to call the encodeURL method. The URL is always encoded, even if the browser supports cookies. |
protocolSwitchRewritingEnabled | boolean | false | Adds the session identifier to a URL when the URL requires a switch from HTTP to HTTPS or from HTTPS to HTTP. |
rewriteId | string | jsessionid | Use this property to change the key used with URL rewriting. |