HTTP Session (httpSession)

Configuration for HTTP session management.

NameTypeDefaultDescription

allowOverflow

boolean

true

Allows the number of sessions in memory to exceed the value of the Max in-memory session count property.

cookieSameSite

  • Disabled

  • Lax

  • None

  • Strict

Disabled

Specifies a SameSite attribute value to use for session cookies.
Disabled
Do not set a SameSite attribute value on the session cookies
Lax
Set the session cookie SameSite attribute value to Lax
None
Set the session cookie SameSite attribute value to None
Strict
Set the session cookie SameSite attribute value to Strict

maxInMemorySessionCount

int

1000

Maximum number of sessions to maintain in memory for each web module.

Advanced

accessOnTimeout

boolean

true

This property gives the servlet access to the session, which allows normal execution even if the session is still locked by another servlet. Set this property to false to stop the servlet execution when the session requests a timeout. The default value is true.

allowSerializedAccess

boolean

false

Enable this option to allow serialized access to session data.

debugCrossover

boolean

false

Enable this option to perform additional checks to verify that only the session associated with the request is accessed or referenced, and log messages if any discrepancies are detected. Disable this option to skip the additional checks.

idLength

int

23

Length of the session identifier.

idReuse

boolean

false

In a multi-JVM environment that is not configured for session persistence, setting this property to "true" enables the session manager to use the same session information for all of a user's requests even if the web applications that are handling these requests are governed by different JVMs. The default value for this property is false. Set this property to true if you want to enable the session manager to use the session identifier sent from a browser to preserve session data across web applications that are running in an environment that is not configured for session persistence.

maxWaitTime

int

0

The amount of time, in seconds, a servlet waits on a session before it continues execution.

modifyActiveCountOnInvalidatedSession

boolean

true

Httpsession activeCount metric might become inaccurate when the session is accessed by multiple applications. Set the property to "false" to resolve the issue.

noAdditionalInfo

boolean

false

Forces removal of information that is not needed in session identifiers.

Cookies

cookieDomain

string

Domain field of a session tracking cookie.

cookieHttpOnly

boolean

true

Specifies that session cookies include the HttpOnly field. Browsers that support the HttpOnly field do not enable cookies to be accessed by client-side scripts. Using the HttpOnly field will help prevent cross-site scripting attacks.

cookieMaxAge

A period of time with second precision

-1

Maximum amount of time that a cookie can reside on the client browser. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds.

cookieName

string

JSESSIONID

A unique name for a session management cookie.

cookiePath

string

/

A cookie is sent to the URL designated in the path.

cookieSecure

boolean

false

Specifies that the session cookies include the secure field.

useContextRootAsCookiePath

boolean

false

Specifies that the cookie path equals the context root of the web module instead of /

Failover

cloneId

string

The clone identifier of the cluster member. Within a cluster, this identifier must be unique to maintain session affinity. When set, this name overwrites the default name generated by the server.

cloneSeparator

string

:

The single character used to separate the session identifier from the clone identifier in session cookies. The default value should usually be used. On some Wireless Application Protocol (WAP) devices, a colon (:) is not allowed, so a plus sign (+) should be used instead. Different values should rarely be used. You should understand the clone character requirements of other products running on your system before using this property to change the clone separator character. The fact that any character can be specified as the value for this property does not imply that the character you specify will function correctly. This fact also does not imply that IBM is responsible for fixing any problem that might arise from using an alternative character.

Invalidation

forceInvalidationMultiple

int

3

If your requests normally are not bound by a response time limit, specify 0 to indicate that the session manager should wait indefinitely until a request is complete before attempting to invalidate the session. Otherwise, set this property to a positive integer to delay the invalidation of active sessions. Active timed out sessions will not be invalidated by the first invalidation interval pass, but will be invalidated by the interval pass based on this value. For example, a value of 2 would invalidate an active session on the second invalidation interval pass after the session timeout has expired.

invalidationTimeout

A period of time with second precision

30m

Amount of time a session can go unused before it is no longer valid, in seconds if unit of time isn't specified. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds.

reaperPollInterval

A period of time with second precision

-1

The wake-up interval, in seconds, for the process that removes invalid sessions. The minimum value is 30 seconds. If a value less than the minimum is entered, an appropriate value is automatically determined and used. This value overrides the default installation value, which is between 30 and 360 seconds, based off the session timeout value. Because the default session timeout is 30 minutes, the reaper interval is usually between 2 and 3 minutes. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds.

Security

invalidateOnUnauthorizedSessionRequestException

boolean

false

Set this property to true if, in response to an unauthorized request, you want the session manager to invalidate a session instead of issuing an UnauthorizedSessionRequestException. When a session is invalidated, the requester can create a new session, but does not have access to any of the previously saved session data. This allows a single user to continue processing requests to other applications after a logout while still protecting session data.

securityIntegrationEnabled

boolean

true

Enables security integration, which causes the session management facility to associate the identity of users with their HTTP sessions.

securityUserIgnoreCase

boolean

false

Indicates that the session security identity and the client security identity should be considered a match even if their cases are different. For example, when this property is set to true, the session security identity USER1 matches the client security identities User1 and user1.

Session Tracking Mechanism

cookiesEnabled

boolean

true

Specifies that session tracking uses cookies to carry session identifiers.

sslTrackingEnabled

boolean

false

Specifies that session tracking uses Secure Sockets Layer (SSL) information as a session identifier.

urlRewritingEnabled

boolean

false

Specifies that the session management facility uses rewritten URLs to carry the session identifiers.

URL Rewriting

alwaysEncodeUrl

boolean

false

The Servlet 2.5 specification specifies to not encode the URL on a response.encodeURL call if it is not necessary. To support backward compatibility when URL encoding is enabled, set this property to true to call the encodeURL method. The URL is always encoded, even if the browser supports cookies.

protocolSwitchRewritingEnabled

boolean

false

Adds the session identifier to a URL when the URL requires a switch from HTTP to HTTPS or from HTTPS to HTTP.

rewriteId

string

jsessionid

Use this property to change the key used with URL rewriting.