Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Active sessions problem
#1
I have a problem where from time to time there are thousands of sessions open on the server and every time between 5% and 10% of those are legitimate, the rest... I have no idea how they were created and why. 

In my code the sessions that are for the level OPERATOR or ROOT never expire as long as the browser is still connected (the levels will appear in the pastebin and my code bellow). The AGENT level sessions are alive for 15 minutes, the USER level sessions are alive for 10 minutes and if there is no level I time out the session after 1 minute.

This works fine for many hours, but sometimes when I check the active sessions are thousands of them and they never expire:

https://pastebin.com/raw/x0YASKBS

To control the time the sessions stay active I have a timer set for 20 seconds on each form:


Code:
procedure TformBalance.HeartbeatTimerAsyncTimer(Sender: TObject;  EventParams: TStringList);
begin
  StopHeartbeatTimer(HeartbeatTimer);
end;


procedure StopHeartbeatTimer(AHeartbeatTimer: TIWTimer; ACount: integer);
var
  iHeartbeats: integer;
begin
  if ACount > 0 then
    iHeartbeats := ACount
  else
    // a hearthbeat is every 20 seconds, so the timeout its (iHeartbeats * 20) seconds.
    if UserSession.LevelString = 'USER' then
      iHeartbeats := 30
    else if (UserSession.LevelString = 'AGENT') or
      (UserSession.LevelString = 'COMPANY') then
      iHeartbeats := 45
    else if (UserSession.LevelString = '') then
      iHeartbeats := 1
    else
      Exit; // do not timeout

  if AHeartbeatTimer.Tag > iHeartbeats then
    AHeartbeatTimer.Enabled := false;
  AHeartbeatTimer.Tag := AHeartbeatTimer.Tag + 1;
end;

The ServerController's Session Timeout field value is 1.

Anyone have any idea where are those sessions coming from and why they are not timing out?

Edit: It might be a good idea for me to use the "rubber duck debugging method". Almost every time I post a question here, while I'm explaining what's happening I find the problem. Now I'm not sure if this is the fix, but a better code for the StopHeartbeatTimer procedure would handle all legitimate levels and the last "else" would be for everything else, aka timeout right away. 



Code:
    // a hearthbeat is every 20 seconds, so the timeout its (iHeartbeats * 20) seconds.
    if UserSession.LevelString = 'USER' then
      iHeartbeats := 30
    else if (UserSession.LevelString = 'AGENT') or
      (UserSession.LevelString = 'COMPANY') then
      iHeartbeats := 45
    else if (UserSession.LevelString = 'ROOT') or
      (UserSession.LevelString = 'OPERATOR') then
      Exit // do not timeout
    else
      iHeartbeats := 1;
Reply
#2
1 is a very short timeout...... not advisable.

20 second ping - thats overly aggressive too IMO and depending on your restart options could be loading up the new sessions.

IW has built in functionality for timeouts, keep alives etc.
Reply
#3
Hi Ioan,

There is a KeepAlive property on IWForm which should give you this functionality. The built-in keep alive functionality is *very* lightweight (it doesn't block sessions at all) and won't start new sessions ever. Any reason why you are not using it?
Reply
#4
(06-12-2019, 11:52 PM)Alexandre Machado Wrote: Hi Ioan,

There is a KeepAlive property on IWForm which should give you this functionality. The built-in keep alive functionality is *very* lightweight (it doesn't block sessions at all) and won't start new sessions ever. Any reason why you are not using it?

Hi Alexandre,

I can't use the built-in keep alive feature because some of our users need to be HIPAA compliant so I need to time out inactive users after a period even if they still have the browser opened on one of the forms. Also, I have multiple security levels in the same application and each gets a different time out period. A nice feature would be if we could configure the time out period for each session individually.

(06-12-2019, 09:53 PM)kudzu Wrote: 1 is a very short timeout...... not advisable.

20 second ping - thats overly aggressive too IMO and depending on your restart options could be loading up the new sessions.

IW has built in functionality for timeouts, keep alives etc.

I'm sure you are right. I'll increase the timeout in ServerController and maybe do a 40-60 seconds ping.
Reply
#5
Even a 60 second ping seems a bit heavy. Do your sessions have a heavy memory foot print? (Note, in many IW applications such is valid depending on needs)
Reply
#6
Ioan,

You might consider thinking of the the keepalive and security timeout separately.

Keep track of your user's last "touch time" and bail out if they try to do something after their security timeout. But, use the keepalive to maintain the session and you can set session timeout relatively short (arbitrarily short and not affected by security timeout).

If you need to proactively show a "signed out" message then set up a relatively long timer to occasionally clean up. Your security is met by not accepting activity after, say, 10 minutes even if the cleanup timer only fires every 15 or 20 minutes. Should be very low overhead.

Dan
Reply
#7
(06-13-2019, 01:25 PM)ioan Wrote:
(06-12-2019, 11:52 PM)Alexandre Machado Wrote: Hi Ioan,

There is a KeepAlive property on IWForm which should give you this functionality. The built-in keep alive functionality is *very* lightweight (it doesn't block sessions at all) and won't start new sessions ever. Any reason why you are not using it?

Hi Alexandre,

I can't use the built-in keep alive feature because some of our users need to be HIPAA compliant so I need to time out inactive users after a period even if they still have the browser opened on one of the forms. Also, I have multiple security levels in the same application and each gets a different time out period. A nice feature would be if we could configure the time out period for each session individually.

(06-12-2019, 09:53 PM)kudzu Wrote: 1 is a very short timeout...... not advisable.

20 second ping - thats overly aggressive too IMO and depending on your restart options could be loading up the new sessions.

IW has built in functionality for timeouts, keep alives etc.

I'm sure you are right. I'll increase the timeout in ServerController and maybe do a 40-60 seconds ping.
Reply
#8
Alex,
Like the other thread, your post only includes the quote. Hmmm...

Dan
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)