Accessing the login page creates too many sessions?

Question

Accessing the login page creates too many sessions?

I use spring framework, apache, tomcat and the login page is processed using spring security and I have a problem that every first request to the login page generates a new session for the user, I know its default behavior when you access the login page , a new session is created for you, then, if the heavy load made when the page was logged in, too many users simply look at the login page without any action, so too many unused sessions are created here. what do you guys think only about the problem, I know that this is rare, but it can happen, how to deal with it?

+3

spring spring-security tomcat apache

Mahmoud saleh Nov 24 '10 at 12:07

source share

1 answer

scheffield · Accepted Answer · 2010-11-24T12:30:44+0000

I do not think this is rare. One possible dissolution may be to set a minimum session timeout. For example, 5 minutes. In addition, you can write a filter to increase the session timeout if the session already exists for the user. Thus, an ordinary user will have a session timeout of 30 minutes, and users on only one side will have a timeout of 5 minutes.

Here is a filter that doses the trick:

public void doFilter(ServletRequest request, ServletResponse response,
        FilterChain chain) throws IOException, ServletException {

    HttpServletRequest httpRequest = (HttpServletRequest)request;

    // The false is important, otherwise a new session will be created.
    HttpSession session = httpRequest.getSession(false);

    if (session == null) {
        chain.doFilter(request, response);
        return;
    }

    session.setMaxInactiveInterval(30 * 60);
    chain.doFilter(request, response);
}

Another good tip is to filter out crawlers like the Google bot. "Bot Detection" is a good search keyword.

Accessing the login page creates too many sessions?

More articles: