Wednesday, November 9, 2011

ATG session management

Please go through below ATG Tech notes on how ATG manages session on third party servers.
https://docs.google.com/open?id=0B8rpgofYlaJnYTBiNGNmNjMtODU0MS00NDNmLThmOWItNGQzN2UwODBjODRi

Application server creates separate session for each web application (war) in EAR.
For example in your application (EAR) test.ear you have common.war (context is /) and store.war (context is store).

In jboss, you can see how many sessions are created for each web application.

For example go to http://localhost:8080/jmx-console/
and search for host=localhost,path=/<web-app-context>,type=Manager, once you click on that link you will find many settings related to session like activeSessions, maxInactiveInterval etc. You can also list all sessions created for this context by invoking listSessionIds()
host=localhost,path=/,type=Manager to see how many sessions are created with context "/"
host=localhost,path=/store,type=Manager to see how many session are created with context "/store"

As mentioned in above ATG Tech note -
By default, DafEar\base\j2ee-components\atg-bootstrap.war is the parent application with a context root of /dyn.  
All web applications to define the atg.session.parentContextName and atg.dafear.bootstrapContextName parameters in their web.xml to point to the parent web application.

ATG Nuclues components live outside the application servers session
So a listener (atg.servlet.SessionBindingReporter) is added to each web application session as attribute.
When ever application server creates a new session
      SessionBindingReporter will increment SessionNameContext.mNumWrappingNameContexts
When ever application server invalidates a session
      SessionBindingReporter will decrement SessionNameContext.mNumWrappingNameContexts

Thus when SessionNameContext.mNumWrappingNameContexts reaches zero, which means all parent and child web-app sessions are expired.

ATG Nuclues session scoped components for that session are removed.
Even if you have different timeout set at each war level, highest amongst them is considered for session expiration because ATG will remove session scoped components only when all web app sessions are invalidated.

Handling session expiration during form submission.
To redirect the user to session expiration page when his/her session is invalidated during form submission.

set checkForValidSession to true in your formhandler properties file or set using dsp:input at the time of form submission.
Above way will work only if formhandler extends GenericFormHandler and using "checkFormRedirect" method to redirect to success or failure page.

If above property is set, in GenericFormHandler.checkFormRedirect a form exception is added with key "sessionExpired" and redirected to failure page.

For some OOTB formhandler's like ShoppingCartModifier and CartModifierFormHandler there is other way to do

In both ShoppingCartModifier and CartModifierFormHandler we have property "sessionExpirationURL"
Set this property (as hidden in form) to page where you want the user to redirect if his/her session got invalidated.
Example:
<dsp:input bean="ShoppingCartModifier.sessionExpirationURL" type="hidden" value="../../common/SessionExpired.jsp"/>
Regarding session timeout
Note that since sessions are created and managed by application servers like JBOSS, Weblogic or Websphere. Session timeout set at application server is used (/atg/dynamo/servlet/sessiontracking/SessionManager.sessionInvalidationTime is not considered).

ATG session timeout can be set at each web-app level (web.xml) or at global level
By default session timeout is set to 30 mins in JBOSS
In /cygdrive/c/Ecomm/jboss-eap-4.2/jboss-as/server/<server>/deploy/jboss-web.deployer/conf
   <session-config>
        <session-timeout>30</session-timeout>
    </session-config>
In weblogic - weblogic-application.xml
<!--
        ============================================================
   weblogic-application.xml
   This file is used to configure
   cookie name, session timeout, id length
    ============================================================
-->
<?xml version="1.0" encoding="UTF-8"?>
<wls:weblogic-application xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wls="http://www.bea.com/ns/weblogic/90" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/j2ee_1_4.xsd http://www.bea.com/ns/weblogic/90 http://www.bea.com/ns/weblogic/90/weblogic-application.xsd">
  <wls:application-param>
     <wls:param-name>webapp.encoding.default</wls:param-name>
      <wls:param-value>UTF-8</wls:param-value>
    </wls:application-param>
  <wls:session-descriptor>
    <wls:cookie-name>JSESSIONID</wls:cookie-name>
    <wls:timeout-secs>1200</wls:timeout-secs>
    <wls:id-length>14</wls:id-length>
    <wls:sharing-enabled>true</wls:sharing-enabled>
    <wls:url-rewriting-enabled>false</wls:url-rewriting-enabled>
  </wls:session-descriptor>
</wls:weblogic-application>
Warn user for session expiration
To notify user for session expiration like a pop up we need to use javascript. Mostly this javascript should be included in header page  so that it will be executed in all pages.
function sessionTimeout(){
        var millsec = 29 * 60 * 1000; // depending on your session timeout.
        setTimeout("sessionWarning()", millsec);
 }

function sessionWarning(){
    warningURL = "/common/sessiontimeoutlogoutwarning.htm";
    var win = window.open(warningURL, "sessionTimeoutWarning", "width=450,height=175");
    win.focus();
}

// calling session timeout method.
sessionTimeout();

4 comments: