Session Interaction Outline

This section describes the request process and how a Nucleus session name context is associated with that request.

  1. When a request comes in without a session ID in the cookie or in the URL, the application server creates a new session for the requested web application.

  2. The ATG PageFilter determines if the session has been failed over and needs to be restored, or is a new session.

  3. If the request is for the parent web application, a session name context is created with the current session ID and added to the Nucleus component /atg/dynamo/servlet/sessiontracking/GenericSessionManager.

    View that component in the Nucleus Component browser to see a list of current ATG session name contexts and the web applications that share those name contexts.

    If the request is for a child web application, the parent application’s session ID is resolved in one of two ways, depending on the application server.

    Some application servers maintain a single session ID between web applications for the same client (browser), in which case the session name context ID is the current web application’s session ID. This behavior is controlled by the /atg/dynamo/
    servlet/sessiontracking/GenericSessionManager.singleSessionIdPerUser     property, which is set to one of the following default values in the DafEar submodule configuration layer:

    Note: Do not change these values from their defaults.

    When the singleSessionIdPerUser value is true, the application server uses the same session ID for all web applications, so lookup is not required. Note that the application server hands out the same session id, but not the same HttpSession object.

    When singleSessionIdPerUser is false, a lookup determines the session name context ID. This is done by the atg.nucleus.servlet.SessionNameContextServlet servlet (included in atg_bootstrap.war), using a RequestDispatcher.include() call. The SessionNameContextServlet does two things:

  4. The atg.parent.session.id session attribute is set to the parent session ID to avoid repeating the lookup.

  5. A new session-scoped context of type atg.servlet.SessionNameContext now exists under the GenericSessionManager. Because the ATG Nucleus components live outside the application server’s session, an atg.servlet.SessionBindingReporter object is added to each web application session as an attribute. According to the J2EE spec, this object must be notified by the application server when the session is started (its valueBound method invoked) or invalidated (its valueUnbound method invoked).

  6. The SessionBindingReporter increments a counter in the SessionNameContext it belongs to. This counter keeps track of the number of child web application session references to the Nucleus session scope. As each child is requested during the course of the browser session, this number increases.

  7. When the application server expires a session, either because of a user request (session.invalidate() invoked) or due to a session timeout, it unbinds all the session attributes and invokes the atg.servlet.SessionBindingReporter.valueUnbound() method.

  8. The valueUnbound decrements the SessionNameContext counter.

  9. When the counter reaches 0, all the child and parent web application sessions have been expired and it is safe for the ATG Nucleus session scope to be removed.

Note: Because the only link to the underlying session is through the SessionBindingReporter attribute, session management is a common cause for memory leaks. One such leak occurs on IBM WebSphere in a clustered environment, where the session invalidation can occur in a different JVM instance than where the session originated. See the Session Management in a WebSphere Cluster section.

Copyright © 1997, 2012 Oracle and/or its affiliates. All rights reserved.

Legal Notices