Tomcat session is not deleted even after invalidating http session in spring web application, this is causing memory leak

Question

I have invalidated session in HandlerInterceptorAdapter, Please refer the below code.

@Override
public void postHandle(HttpServletRequest request,
        HttpServletResponse response, Object handler,
        ModelAndView modelAndView) throws Exception {   request.getSession(false).invalidate();
    log.debug ("Session Deleted after invalidate:" + request.getSession(false));

}

Here I am seeing null in log. That means session is destroyed. Please correct me if I am wrong.

Now the problem is the PS Old Gen memory is growing, I have taken a dump from the server and I found there are lot of memory blocked by StandardSession related objects.

In the above image ConcurrentHashMap has lot of session id vs StandardSession object data.

Can someone please explain me why this session objects are not cleared from the memory even after invalidating the session.

@Override
public boolean preHandle(HttpServletRequest request,
        HttpServletResponse response, Object handler) throws Exception {
    createSession();    
    return setupSession(request);
}


private void createSession() {      
    ServletRequestAttributes sra = (ServletRequestAttributes)RequestContextHolder.getRequestAttributes();
    if(sra != null){
        HttpServletRequest req = sra.getRequest();    
        if(req != null){
            HttpSession session =  req.getSession(false);
            if(session != null) {
                log.debug("Invalidating old session");
                session.invalidate();
            }           
            session = req.getSession(true);
            session.setAttribute(StrutsSettingsHandler.REQUEST_TYPE_REST_KEY, 
                    StrutsSettingsHandler.REQUEST_TYPE_REST);

            session.setMaxInactiveInterval(10);
            log.debug ("New session created, Id = "+session.getId());                                       
        }
    }       
}

You are aware that your code might result in a `NullPointerException`? `getSession(false)` might return `null`. Also it doesn't mean you are destroying all the sessions next to that they will eventually time out anyway. If you are using JSP and don't want a session see http://stackoverflow.com/questions/5093032/how-do-you-disable-session-creation-for-all-jsps-with-tiles — M. Deinum, Mar 23 '16 at 09:15
I am not using the session after invalidate, that print is just to check whether the session is invalidated r not. And This is a rest API application — Rukmangada, Mar 23 '16 at 09:22
You are calling `invalidate` on a potentially `null` object, that will break (at moments you don't expect it). If you are using REST why are you even having a session... Don't force session creation that way you don't need to i validate it either. — M. Deinum, Mar 23 '16 at 09:24
That invalidate is not a problem and worked. The problem is memory leak in tomcat. I I have created session , because I wanted to store data in session for each REST request — Rukmangada, Mar 23 '16 at 09:27
Why would you use a session, just store it as a request attribute and don't use a session for that. Next to that why is it a memory leak, they will timeout after some time. — M. Deinum, Mar 23 '16 at 09:32
We cant use request attribute. We are trying to reuse lots of code for REST API. session is extensively used in existing code. So I need to create a session to use existing code. We did a performance test and it reached 10GB heap space, I the attached image it is just 1.5GB data — Rukmangada, Mar 23 '16 at 09:35
Well you are creating new sessions on each requests that means a major amount of sessions, why not simply reuse the existing once. Invalidate is about invalidating the session it doesn't say anything that the session should also be directly destroyed (physically). Also make sure you aren't keeping references to the session in your code else GC will never kick in, even if the session is invalided. — M. Deinum, Mar 23 '16 at 09:40
Since it is a REST API case we dont want to reuse the session. I am not storing this session reference anywhere. All that I am doing is I will set data in to session an I get data from session in my business logic. — Rukmangada, Mar 23 '16 at 09:45

Tomcat session is not deleted even after invalidating http session in spring web application, this is causing memory leak

0 Answers0