We are using Springboot 2 and sometime ago we started facing HikariPool connection exhaustion issue. Upon Debugging we found out the that hibernate Open Session in View is by default enabled in Spring.
Now my question is how do we disable it. As the codebase is big enough. If We simply disable it to false. Some part of our code breaks as one session is not being maintained.
Related
I am using Tomcat 7.0, Spring 4.0.2, Web Module 3.0 in eclipse for my web application.
And I configured my session timeout in app/web.xml as well as tomcat/conf/web.xml.
<session-config><session-timeout>10</session-timeout></session-config>
I am sending one request called captureLastActiveTimeForCurrentFile after every 5 mins.
I need to ignore one request (suppose, captureLastActiveTimeForCurrentFile) from updating lastAccessedTime of session.
According http://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Sessions (org.apache.catalina.core.StandardHostValve.ACCESS_SESSION) default behavior of tomcat is : every request that is associated with a session will cause the session's last accessed time to be updated if the request explicitly accesses the session.
I am not accessing session explicitly from request (HttpServletRequest object) captureLastActiveTimeForCurrentFile. So According to my understanding tomcat should invalidate session after 10 min from any request done which is accessing session explicitly. But In my case tomcat never invalidate session because I am sending captureLastActiveTimeForCurrentFile after every 5 mins. But according to docs it should be. Can Anyone help me to understand what is happening here? Thanks in advance.
EDIT : I found some discussion regarding this topic here. But still I am not getting actual problem.
I have a tomcat 8 server in which i have two web app. I want to give access to both application by authenticating once an user.
I did it by setting sessionCookiePath="/" in catalina/conf/context.xml like this :
<Context useHttpOnly="false" sessionCookiePath="/">
Now the problem i am facing is tomcat is not changing session ID anymore. I got a warning message.
Warn org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy - your servlet container did not change the session id when a new session was created
On the link, it is said that tomcat is taking care of that by default.
http://www.tomcatexpert.com/blog/2011/04/25/session-fixation-protection
How can i fix it ?
Thanks
Yes, this is expected behaviour. The documentation hints at this but
does not make it explicitly clear.
Setting sessionCookiePath="/" is treated as a special case to support
portlet implementations. Once one web application obtains a session all
subsequent sessions for any web application also configured with
sessionCookiePath="/" will always get the same session ID. This holds
even if the session is invalidated and a new one created.
If a set of web application operates in this mode, changing the session
ID is a lot harder. You'd have to write a custom Tomcat component to do
it for you and even then I'm not sure that you can guarantee a smooth
change over.
I'm using Hibernate with Spring on Tomcat. I've been reading and re-reading the oft pointed to JBoss wiki page on the topic, and that has been helpful. But it leaves me with some questions.
The idea of starting a transaction for every request troubles me. I guess I could limit the filter to certain controllers -- maybe put all my controllers that need a transaction under a pseudo "tx" path or something. But isn't it a bad idea to use transactions if you don't know if you're going to need one? And if I'm just doing reads in some request -- reads that very likely may come from a cache -- aren't I better off without a transaction?
I've read posts mentioning how they handled the transactions at the service layer, and I'd like to do this with Spring. But then what does the filter code look like? I still want the session available in my view for some lazy loading.
If all I have to do is call sessionFactory.getCurrentSession() in my filter, how does it get "freed" back to the session factory for re-use? (I expected to see a session.close() or something, even when using transactions.) Who is telling the session factory that that session can be reused?
Perhaps it's the beginTransaction() call that binds a given database connection to a given session for the duration of a request? Otherwise, a session pulls db connections from the pool as needed, right?
Thanks for your patience with all my questions.
(And if your answer is going to be a link to the Spring documentation, you'll just make me cry. You don't want that, do you? I'll pay real money if people would stop answering Spring-related questions that way.)
Your concerns are valid, the solution provided on the wiki page is too simplistic. The transaction should not be managed at the web layer - it should be handled at the service layer.
The correct implementation would open a session and bind it to a thread in the filter. No transaction is started. The session is put in flush mode never - read only mode. A service call would set the session to flush mode auto & start / commit the transaction. Once the service method finishes the session flush mode is reverted back to never.
There is also an option to not open the session in the filter. Each service layer call would open a separate session & transaction - after the service call is done the session is not closed, but registered for deferred close. The session will be closed after the web request processing is complete.
Spring provides OpensessionInViewFilter which works as described above. So ignore the jboss wiki article and just configure the OpensessionInViewFilter - everything will be fine.
SessionFactory.getCurrentSession() - internally creates and assigns the session to a thread local. Each request / thread will have its own session. Once the web request processing is complete the session will be closed. From within your code you just need to use SessionFactory.getCurrentSession() and don't have to close it. The code sample on the jboss wiki page is wrong - it should have a SessionFactory.getCurrentSession().close() in the finally block. Or they might be using JTA transaction and configured hibernate to open/close session in conjunction with the JTA transaction.
It is not a problem if the filter creates a session for every request, because the sessions are coming from a session pool, and they will be reused. From the view of the OS, nothing happens.
A hibernate session is, by the fact, a tcp (or socket/pipe) connection to the database server. The cost of the db conn creation is very dependent from the sql type (postgresql is notably bad in this, altough it is very good in every anything). But it doesn't means really anything, because hibernate reuses the database connections.
The simple hibernate filter solution starts a new transaction on the session for every requests, too. It is transaction from the view of the SQL: it is a "BEGIN" and "COMMIT" query. It is always costly, and this should be reduced.
IMHO a possible solution were, if the transactions were started only at the first query of the current request. Maybe spring has something usable for this.
I have an ASP.NET MVC 3 application that uses Entity Framework 4.3 code first. The application works satisfactorily with the WebDev server in Visual Studio. Once the application is running in IIS 7.5, it is, it occasionally happens that the server no longer responds. The browser waits until it times out. Also, a refresh of the page does not help. Only if the browser is closed and restarted the IIS provides responses back to the browser.
The work processes are utilized here to 0%. An infinite loop is ruled out as cause therefore. When I examine the worker process with the debugger, all threads are in the external code. Even with WinDbg I can not identify the cause.
The application uses the DbContext together with the UnitOfWork pattern. The controllers receive an UnitOfWork object via dependency injection. The dependency resolution is done with the UnityDependencyResolver of the Unity.Mvc package. The Entity Framwork is also used in my own MembershipProvier and role providers, but here is the DbContext explicitly created and destroyed.
I'm desperate. What could cause this behavior?
All,
I am doing some investigation into how to shrink the amount of session memory our JSF application is consuming on a per user basis.
We are using MyFaces 1.1.7 and Tomahawk 1.1.5 running on IBM Websphere 7.0 patch 19. (Not able to upgrade either of these items at this time)
IBM’s guideline is that the session size should be less then 5k – average around 2.5k in order not to impact performance of the server and session replication. We are currently using Memory to Memory but looking at moving to database as suggested by IBM.
Our site was running at about 35M per user. We changed the number of view states from 100 to 10 and that dropped it down to around 4M.
We have several backing beans which are currently session scope and are looking at changing them to request scope.
I also found the following: http://www.econsulting.nl/images/pdf/Tuning%20JSF%20Applications-%20J-Spring%202008.pdf which seems to have a lot of information concerning how JSF handles certain content on the pages. This is still under investigation to make sure what is stated make sense.
I have also read somewhere that regardless if the managed backing bean is session or request scope is that the view state will still have the bean and its content. So the view state size will not change. Looking for clarification on this one.
The questions is are others facing the same issue in which JSF applications tend to consume a lot of memory for a given users session?
What are some of the best practices to reduce this size if any or is this just the way when using JSF?
Issues with session replication on IBM WebSphere when running a JSF application?
Is there any documentation out there on how JSF/MyFaces makes use of the heap memory - Young vs old or should it even be considered in this scope? Garbage collection tuning?
What we see as a result of this is that in the event a user hops to another server, the session data is not present due to how large the data is and how long it takes to replicate. User experience issues.
We had seen an issue in which it appeared that changes to the object in the session was not being updated correctly and have done some session management tuning in which we customize the settings so that all session attributes are written out. Looking at the .jar file it does appear that myFaces is making the call correctly when the contents of the object in the session changes. So WebSphere session listener should be picking up that change.
you can try saving view state on client, but I am not sure that MyFaces 1.1.7 already supports this