HttpSession tracking

Thu, 21 Mar 2024 12:25:39 -0700 

All,
After having written a solution using JMX to do something like this, I'd like to make it cleaner and I'm not sure it's entirely possible using just Servlet APIs. 

I'd like to be able to track every HttpSession for the application.

for admin purposes, I'd like to be able to analyze:

1. The total number of sessions


2. The number of sessions which represent a logged-in user vs a 
crawler-session or someone who visited the home-page and got a session 
but never logged-in



3. Checking-out some specific roles of those logged-in users e.g. 
end-user, staff, admin



4. Be able to kill a session at will. For example "chris is already 
logged-in, kill his old session and let the new login remain"



I started with the obvious HttpSessionListener + 
HttpSessionActivationListener, but I tried this experiment and it didn't 
turn out how I expected:


1. Start the application and hit the front page

-> I get a call to HttpSessionListener.sessionCreated (expected)

2. Login

3. Logout

-> I get a call to HttpSessionListener.sessionDestroyed (expected)
-> I get a call to HttpSessionListener.sessionCreated (expected)
   (this second one happens because our home-page creates a session)

4. Login again

5. Stop Tomcat

-> No calls to anything I can see

6. Start Tomcat

-> No calls to anything I can see

7. Access a protected page

-> Access is allowed; I'm still logged-in.


When Tomcat shuts-down, it's saving the sessions using local 
persistence[1]. When the application comes back up, all those sessions 
are restored from the disk.



When my HttpSeessionListener starts, it's empty and doesn't know about 
any sessions. Tomcat doesn't notify it that any sessions are coming from 
that storage.



I would have expected calls to 
HttpSessionActivationListener.sessionWillPassivate and 
HttpSessionActivationListener.sessionDidActivate.



Do I have unrealistic expectations? Is there a way to capture these 
events so my in-memory session-watcher/manager is able to have an 
accurate view of what Tomcat can see?


Thanks,
-chris


[1] 
https://tomcat.apache.org/tomcat-8.5-doc/config/manager.html#Persistence_Across_Restarts


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to