HTTP Session Handling (Sun GlassFish Enterprise Server 2.1 Performance Tuning Guide)

Sun GlassFish Enterprise Server 2.1 Performance Tuning Guide

Follow these guidelines when using HTTP sessions:

Create sessions sparingly. Session creation is not free. If a session is not required, do not create one.
Use javax.servlet.http.HttpSession.invalidate() to release sessions when they are no longer needed.
Keep session size small, to reduce response times. If possible, keep session size below seven KB.
Use the directive <%page session="false"%> in JSP files to prevent the Enterprise Server from automatically creating sessions when they are not necessary.
Avoid large object graphs in an HttpSession . They force serialization and add computational overhead. Generally, do not store large objects as HttpSession variables.
Don’t cache transaction data in HttpSession. Access to data in an HttpSession is not transactional. Do not use it as a cache of transactional data, which is better kept in the database and accessed using entity beans. Transactions will rollback upon failures to their original state. However, stale and inaccurate data may remain in HttpSession objects. The Enterprise Server provides “read-only” bean-managed persistence entity beans for cached access to read-only data.