How close is the actual session timeout period to the specified timeout period?
Created May 4, 2012
Avi Kak During some development work recently, I became curious as to how close
the actual session timeout period was to the specified timeout period.
Much to my surprise, I discovered a wide discrepancy between the two for
the case when the specified timeout periods are short. I have not done
experiments for the case when the specified timeout periods are long.
I'd expect that for the case of long timeout periods, the two -- the specified and the actual --
would be in fairly close agreement.
I show below some empirical data obtained for four different values of the specified timeout periods: 10, 20, 60, and 120 seconds. For each case, I ran five trials. Each trial consisted of hitting the reload button of the client browser after the session had already timed out from the previous reload.
all times are in seconds | ||
Specified session timeout period | Actual session timeout period for the server running on a Windows NT machine | Actual session timeout period for the server running on a Solaris 5.6 machine |
10 | 24 | 32 |
53 | 53 | |
53 | 47 | |
44 | 48 | |
45 | 50 | |
20 | 54 | 39 |
44 | 51 | |
45 | 40 | |
25 | 22 | |
49 | 52 | |
60 | 105 | 93 |
97 | 114 | |
100 | 110 | |
113 | 109 | |
101 | 110 | |
120 | 131 | 161 |
170 | 146 | |
169 | 135 | |
165 | 137 | |
147 | 146 |
These results were obtained with Tomcat 3.1 as a stand-alone web server for both Windows NT and Solaris. The browser used was Netscape 4.73.
Shown below is a servlet, TestSessionTimeout, that I used for measuring the actual session timeout periods. For those new to servlets, the following comments should prove useful for understanding this servlet:
-
Assuming that a session was not previously created, the method
HttpSession session = HttpServletRequest.getSession( true );
creates a new session between a client and a server. -
The timeout period of this session can be specified by invoking
session.setMaxInactiveInterval( int interval );
The timeout period of a session is the maximum permissible time in seconds between successive client accesses. If a client request is not received within the specified timeout period, the session is invalidated and objects bound to it are unbound. - If an object wishes to receive notification of when it is bound to or unbound from a session, the object must implement the HttpSessionBindingListener interface.
import java.io.*; import java.util.*; import javax.servlet.*; import javax.servlet.http.*; public class TestSessionTimeout extends HttpServlet { private static final String TIMER_KEY = "session.timer"; public void doGet (HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { HttpSession session = request.getSession(true); session.setMaxInactiveInterval( 120 ); SessionTimer timer = (SessionTimer) session.getAttribute( TIMER_KEY ); if ( timer == null ) { timer = new SessionTimer( session.getCreationTime() ); session.setAttribute( TIMER_KEY, timer ); } // Generate Output response.setContentType("text/html"); PrintWriter out = response.getWriter(); out.println("<html>" + "<head><title>Session Information</title></head>" + "<body bgcolor="#FFFFFF">" + "<h1>Session Information</h1><table>"); out.println ("<tr><td>Identifier</td>"); out.println ("<td>" + session.getId() + "</td></tr>"); out.println ("<tr><td>Created</td>"); out.println ("<td>" + new Date(session.getCreationTime()) + "</td></tr>"); out.println ("<tr><td>Last Accessed</td>"); out.println ("<td>" + new Date(session.getLastAccessedTime()) + "</td></tr>"); out.println ("<tr><td>New Session?</td>"); out.println ("<td>" + session.isNew() + "</td></tr>"); Enumeration names = session.getAttributeNames(); while ( names.hasMoreElements() ) { String name = (String) names.nextElement(); out.println ("<tr><td>" + name + "</td>"); out.println ("<td>" + session.getAttribute(name) + "</td></tr>"); } out.println("</table></center></body></html>"); out.close(); } } class SessionTimer implements HttpSessionBindingListener { private long createTime; public SessionTimer( long ctime ) { createTime = ctime; } public void valueBound( HttpSessionBindingEvent event ) {} public void valueUnbound( HttpSessionBindingEvent event ) { try { long diffTimeInSecs = ( System.currentTimeMillis() - createTime ) / 1000; System.out.println( "The session duration in seconds: " + diffTimeInSecs ); } catch( SecurityException e ) {} } }