[
https://issues.apache.org/jira/browse/CALCITE-6530?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17873659#comment-17873659
]
Istvan Toth commented on CALCITE-6530:
--------------------------------------
The session timeout is set on the Jetty SessionHandler object via the
setMaxInactiveInterval() method.
This patch sets it to a fixed 1 hour.
The session is only used for bypassing the potentially costly full
authentication process. Before CALCITE-4152 Avatica had to authenticate every
single request, so an extremely low timeout value would cause Avatica to revert
to the pre CALCITE-4152 behaviour (and performance).
We need to set the timeout to a value that is low enough so that we do not run
into an OOM situation even when a lot of sessions are started, but high enough
so that the majority of requests will be able to use the session cookie instead
of having to re-authenticate.
The main advantage of using a session is in machine-to-machine use cases like
streaming or bulk loading data, or serving a web frontend, where a very high
volume of requests need to be served, as that's the where the authentication
costs can bottleneck performance.
If clients only make requests rarely enough to hit the session timeout (like an
interactive sql session), then the total volume of requests is expected to be
low enough that the added cost re-authentication after timing out a session is
unlikely to be a problem.
So while there is nothing stopping us from making the value configurable, I
cannot really see a use case where being able to set an exact timeout value
matters a great deal.
We could consider using 30 minutes instead of 60, so that we align with the
default value when web.xml is used for configuring Jetty.
> HTTP Sessions are never expired in Avatica server
> -------------------------------------------------
>
> Key: CALCITE-6530
> URL: https://issues.apache.org/jira/browse/CALCITE-6530
> Project: Calcite
> Issue Type: Bug
> Components: avatica
> Reporter: Istvan Toth
> Assignee: Istvan Toth
> Priority: Major
> Labels: pull-request-available
>
> Http Sessions created by the Avatica server are never expired.
> This eventually causes the Avatica server to OOM.
> Well designed clients using long-lived sessions may never generate enough
> sessions between server restarts for this to become apparent, but ill-behaved
> clients creating a lot of sessions can fill the heap in a short time.
> As the Jetty default (when not using the web.xml descriptor) is infinite
> lifetime, we need to set a reasonable default idle timeout when setting up
> Jetty Session handling.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
