Skip to main content

When is HttpSession invalidated?

Posted by swchan2 on August 29, 2013 at 5:22 PM PDT

javax.servlet.http.HttpSession provides a way to identify an user across multiple HTTP requests and to store user specified information. In other words, it provides a support of stateful communications with the stateless HTTP protocol.

For security and memory management, sessions need to be invalidated at a certain time. There are two related methods in HttpSession.


By invoking invalidate(), the session will be invalidated immediately. This is useful for the case such as logout.

HttpSession.setMaxInactiveInterval(int interval)

The method setMaxInactiveInterval(int interval) allows us to configure the time (in seconds) between client requests before the servlet container will invalidate the session.
That is, an idle session will be invalidated after the specified time.

In GlassFish 4.0 (and earlier versions), there is a reaper thread for cleaning invalidated HttpSession periodically with a specific reap interval (reapInterval).
Let rtpt(s) be the time interval between the reaper process starts and the given session s is processed.
Then we have the following inequalities:

maxInactiveInterval + rtpt(s) <= invalidatedTime(s) <= maxInactiveInterval + reapInterval + rtpt(s)

In general, rtpt(s) is small. We would like to configure the reap interval. By default, the reap interval (reapInterval) is 60 seconds and it can be configured as follows:

  • in server level:
    asadmin set configs.config.server-config.web-container.session-config.session-manager.manager-properties.reap-interval-in-seconds=10
  • in application level:
    We can specify a configuration in glassfish-web.xml as follows:
    <!DOCTYPE glassfish-web-app
    PUBLIC "-// GlassFish Application Server 3.1 Servlet 3.0//EN"
                    <property name="reapIntervalSeconds" value="10"/>