Atozed Forums
Active sessions problem - Printable Version

+- Atozed Forums (https://www.atozed.com/forums)
+-- Forum: Atozed Software Products (https://www.atozed.com/forums/forum-1.html)
+--- Forum: IntraWeb (https://www.atozed.com/forums/forum-3.html)
+---- Forum: English (https://www.atozed.com/forums/forum-16.html)
+----- Forum: IntraWeb General Discussion (https://www.atozed.com/forums/forum-4.html)
+----- Thread: Active sessions problem (/thread-1101.html)

Pages: 1 2 3


Active sessions problem - ioan - 06-12-2019

I have a problem where from time to time there are thousands of sessions open on the server and every time between 5% and 10% of those are legitimate, the rest... I have no idea how they were created and why. 

In my code the sessions that are for the level OPERATOR or ROOT never expire as long as the browser is still connected (the levels will appear in the pastebin and my code bellow). The AGENT level sessions are alive for 15 minutes, the USER level sessions are alive for 10 minutes and if there is no level I time out the session after 1 minute.

This works fine for many hours, but sometimes when I check the active sessions are thousands of them and they never expire:

https://pastebin.com/raw/x0YASKBS

To control the time the sessions stay active I have a timer set for 20 seconds on each form:


Code:
procedure TformBalance.HeartbeatTimerAsyncTimer(Sender: TObject;  EventParams: TStringList);
begin
  StopHeartbeatTimer(HeartbeatTimer);
end;


procedure StopHeartbeatTimer(AHeartbeatTimer: TIWTimer; ACount: integer);
var
  iHeartbeats: integer;
begin
  if ACount > 0 then
    iHeartbeats := ACount
  else
    // a hearthbeat is every 20 seconds, so the timeout its (iHeartbeats * 20) seconds.
    if UserSession.LevelString = 'USER' then
      iHeartbeats := 30
    else if (UserSession.LevelString = 'AGENT') or
      (UserSession.LevelString = 'COMPANY') then
      iHeartbeats := 45
    else if (UserSession.LevelString = '') then
      iHeartbeats := 1
    else
      Exit; // do not timeout

  if AHeartbeatTimer.Tag > iHeartbeats then
    AHeartbeatTimer.Enabled := false;
  AHeartbeatTimer.Tag := AHeartbeatTimer.Tag + 1;
end;

The ServerController's Session Timeout field value is 1.

Anyone have any idea where are those sessions coming from and why they are not timing out?

Edit: It might be a good idea for me to use the "rubber duck debugging method". Almost every time I post a question here, while I'm explaining what's happening I find the problem. Now I'm not sure if this is the fix, but a better code for the StopHeartbeatTimer procedure would handle all legitimate levels and the last "else" would be for everything else, aka timeout right away. 



Code:
    // a hearthbeat is every 20 seconds, so the timeout its (iHeartbeats * 20) seconds.
    if UserSession.LevelString = 'USER' then
      iHeartbeats := 30
    else if (UserSession.LevelString = 'AGENT') or
      (UserSession.LevelString = 'COMPANY') then
      iHeartbeats := 45
    else if (UserSession.LevelString = 'ROOT') or
      (UserSession.LevelString = 'OPERATOR') then
      Exit // do not timeout
    else
      iHeartbeats := 1;



RE: Active sessions problem - kudzu - 06-12-2019

1 is a very short timeout...... not advisable.

20 second ping - thats overly aggressive too IMO and depending on your restart options could be loading up the new sessions.

IW has built in functionality for timeouts, keep alives etc.


RE: Active sessions problem - Alexandre Machado - 06-12-2019

Hi Ioan,

There is a KeepAlive property on IWForm which should give you this functionality. The built-in keep alive functionality is *very* lightweight (it doesn't block sessions at all) and won't start new sessions ever. Any reason why you are not using it?


RE: Active sessions problem - ioan - 06-13-2019

(06-12-2019, 11:52 PM)Alexandre Machado Wrote: Hi Ioan,

There is a KeepAlive property on IWForm which should give you this functionality. The built-in keep alive functionality is *very* lightweight (it doesn't block sessions at all) and won't start new sessions ever. Any reason why you are not using it?

Hi Alexandre,

I can't use the built-in keep alive feature because some of our users need to be HIPAA compliant so I need to time out inactive users after a period even if they still have the browser opened on one of the forms. Also, I have multiple security levels in the same application and each gets a different time out period. A nice feature would be if we could configure the time out period for each session individually.

(06-12-2019, 09:53 PM)kudzu Wrote: 1 is a very short timeout...... not advisable.

20 second ping - thats overly aggressive too IMO and depending on your restart options could be loading up the new sessions.

IW has built in functionality for timeouts, keep alives etc.

I'm sure you are right. I'll increase the timeout in ServerController and maybe do a 40-60 seconds ping.


RE: Active sessions problem - kudzu - 06-13-2019

Even a 60 second ping seems a bit heavy. Do your sessions have a heavy memory foot print? (Note, in many IW applications such is valid depending on needs)


RE: Active sessions problem - DanBarclay - 06-13-2019

Ioan,

You might consider thinking of the the keepalive and security timeout separately.

Keep track of your user's last "touch time" and bail out if they try to do something after their security timeout. But, use the keepalive to maintain the session and you can set session timeout relatively short (arbitrarily short and not affected by security timeout).

If you need to proactively show a "signed out" message then set up a relatively long timer to occasionally clean up. Your security is met by not accepting activity after, say, 10 minutes even if the cleanup timer only fires every 15 or 20 minutes. Should be very low overhead.

Dan


RE: Active sessions problem - Alexandre Machado - 06-14-2019

(06-13-2019, 01:25 PM)ioan Wrote:
(06-12-2019, 11:52 PM)Alexandre Machado Wrote: Hi Ioan,

There is a KeepAlive property on IWForm which should give you this functionality. The built-in keep alive functionality is *very* lightweight (it doesn't block sessions at all) and won't start new sessions ever. Any reason why you are not using it?

Hi Alexandre,

I can't use the built-in keep alive feature because some of our users need to be HIPAA compliant so I need to time out inactive users after a period even if they still have the browser opened on one of the forms. Also, I have multiple security levels in the same application and each gets a different time out period. A nice feature would be if we could configure the time out period for each session individually.

(06-12-2019, 09:53 PM)kudzu Wrote: 1 is a very short timeout...... not advisable.

20 second ping - thats overly aggressive too IMO and depending on your restart options could be loading up the new sessions.

IW has built in functionality for timeouts, keep alives etc.

I'm sure you are right. I'll increase the timeout in ServerController and maybe do a 40-60 seconds ping.



RE: Active sessions problem - DanBarclay - 06-14-2019

Alex,
Like the other thread, your post only includes the quote. Hmmm...

Dan


RE: Active sessions problem - ioan - 06-20-2019

The problem it seems that has nothing to do with my timeout logic. The stuck sessions appear even without it with and with keepalive=true on all forms.

When the problem appears (this is only once in a while - about once or twice a day - usually at night at low traffic times), no sessions are terminated anymore. Even if I call Terminate, nothing happens. To test, I added this code to my application:

Code:
    xList := GSessions.LockList(False);
    try
      for i := 0 to xList.Count - 1 do
      begin
        App := TIWApplication(xList[i]);
        if (TIWUserSession(App.Data).LevelString = '') and (App.ActiveForm = nil) then
          App.Terminate;
      end;
    finally
      GSessions.UnLockList(xList);
    end;

and no sessions were terminated (about 95% of the active sessions when the problem occurs will have the levelstring='' and activeform=nil). To test some more, I'll put the same code without the "if" and try to terminate all active sessions. I'll report back when I have the results.


RE: Active sessions problem - Alexandre Machado - 06-20-2019

(06-14-2019, 06:06 AM)DanBarclay Wrote: Alex,
Like the other thread, your post only includes the quote.   Hmmm...

Dan

Yes.... I think I have to find another browser LOL

Thanks, Dan