Tomcat not invalidating sessions
In Spring MVC app, in order to have ability to log the creation and destroy time of a session you need to define inside your a listener which implements After adding this logging functionality I found it easy to monitor more precisely user’s sessions flows.With that implemented, I knew exactly when the session was created but I didn’t know if the destruction of the session was caused manually by user, by clicking logout button, or it was done by app itself.
Each JBoss instance is balanced by Apache HTTP Server and each of the machines is balanced by load balancer.If that happens the currently logged in user will be logged out after performing any action on the website.My application did not have that configuration setup but you should always check for its existence during investigation of session related issues. It might happen that developers implement mechanisms that influence directly users’ sessions behavior.As you can notice, the max-sessions allowed for user is set to 1.If the max-sessions value is exceeded for logged in user, the application might invalidate user’s session.
The plan consists of six steps and this blog post represents it.