Topic
3 replies Latest Post - ‏2013-11-25T18:06:46Z by bergmark
vishalendu
vishalendu
5 Posts
ACCEPTED ANSWER

Pinned topic How to limit the number of HTTPS Sessions on the Liberty Profile

‏2013-11-25T06:13:25Z |

Hi Folks,

I am testing an application based on GWT (Google Web Toolkit) on the Liberty Profile (8.5.0.1). I want to limit the number of HTTPS Sessions on the application.

I tried adding the following to reduce the max Sessions to 1:

<httpSession maxInMemorySessionCount="1" debugCrossover="true" sslTrackingEnabled="true" allowOverflow="false" invalidationTimeout="1800" invalidateOnUnauthorizedSessionRequestException="true"/>
 <httpOptions keepAliveEnabled="false"/>
 <connectionManager maxPoolSize="1" maxConnectionsPerThread="1" />

I am still able to have more than 1 users login to the application in parallel.

a) Is there any way in which I can limit the sessions or limiting the number of users (logins).

b) Or is this a known issue or defect that got fixed in later Liberty version.

c) Or Liberty Profile doesnt support this option.

d) Or I have not set the properties correctly.

Thanks,

Vishalendu

PS: The Features in the server.xml are :

<featureManager>
                <feature>jsp-2.2</feature>
                <feature>jdbc-4.0</feature>
                <feature>jpa-2.0</feature>
                <feature>localConnector-1.0</feature>
                <feature>ssl-1.0</feature>
 </featureManager>
  • bergmark
    bergmark
    42 Posts
    ACCEPTED ANSWER

    Re: How to limit the number of HTTPS Sessions on the Liberty Profile

    ‏2013-11-25T15:45:06Z  in response to vishalendu

    maxInMemorySessionCount controls how many active HttpSession objects (i.e. HttpServletRequest.getSession) will be kept alive by the server.  This is independent of how many users may be logged in at once.

    • vishalendu
      vishalendu
      5 Posts
      ACCEPTED ANSWER

      Re: How to limit the number of HTTPS Sessions on the Liberty Profile

      ‏2013-11-25T18:01:57Z  in response to bergmark

      Hi,

      Thanks for the quick reply. 

      I just want to understand if there is any way to control the maximum sessions on an instance of Liberty Profile. What I want, is to control the number of users who can log into the system.

      Please correct me if I am wrong, the total number of active sessions (httpSessions) should correlate to the number of users logged into the system. 

      If I try to use apache, I can only control the total number of tcp connections (max clients), which after reaching the limit degrades the overall performance of the application.

      As a security measure, is there a way to protect the application from overloading, due to large number of request, or as I mentioned in my requirement, limit the number of active httpSessions.

      Thanks,

      Vishalendu 

       

      • bergmark
        bergmark
        42 Posts
        ACCEPTED ANSWER

        Re: How to limit the number of HTTPS Sessions on the Liberty Profile

        ‏2013-11-25T18:06:46Z  in response to vishalendu

        No, a user could log in and access a Servlet, JSP, etc that never attempts to obtain an HttpSession. 

        To put it another way, this property is about limiting the amount of memory (in the form of HttpSession objects) that will be kept alive by the container between requests.  It does not sounds like it is going to serve your intended purpose.