I'm having problems with sessions accumulating. I run an instance of Tomcat 6.0.18 on a Windows server. I have 3 apps.
I've been having memory issues (close to heap size, or OOM). When I look at the Tomcat manager, I see 500-1000 sessions in each of my 3 apps. When I view the sessions in the Tomcat manager, I can see that some of the sessions are multiple hours in idle time, yet they weren't expired.
One of webapps has a 10 min timeout, but is set in code to 60 minutes (for some users). The other apps have 15 and 30 min timeouts. I also have an issue in that webapp 1 is getting repeated hits with the wrong session cookie (it has to do with my mod_jk load balancing), which drives up the session count. (Lots of sessions created with a single request that then have a 60 min timeout). But it puzzles me that webapp 2 and 3 also are getting high sessions, and that they stick around even past the timeout.
I'm theorizing that the session cleanup is only happening when the server is not heavily loaded, and that (in this case) so many sessions accumulate that the server has low free CPU and the cleanup never runs. But I can't find any references to back this theory up.
Does anyone know the details of the session expiration algorithm? It doesn't run exactly on the timeout minutes -- when does it run?
You can disable the session persistence via the context configuration as stated in Apache Tomcat Configuration Reference: