If you are not familiar with how sessions are configured in WebSphere, check out our getting started page.
By default, when a new application server is created, sessions are managed at the application server level, a maximum of 1000 sessions are allowed per application server, and allow overflow is enabled, and excessive sessions are not stored in a database or in memory.
With these configurations, since allow overflow is enabled, after 1000 sessions are stored in memory, a second session memory table is constructed, and all of the additional sessions are stored in the second memory table. The sessions are stored in the application servers heap space (memory). If all of the heap space is used, the application server will experience an out of memory condition, which may cause the application server to heap dump. As an example, let's say an application server is configured with 256 MB of heap memory. When 1000 sessions are stored in the heap, perhaps this would use up just under half of the heap space.
With allow overflow enabled, additional sessions can be placed in the heap space, which could eventually use up all of the available heap space, causing the dreaded out of memory situation.
This may be even more problematic if you've enabled the override session management options for multiple applications in an application server. For example, let's say you have 3 applications deployed to your application server, each application has enabled the override session management option, and each application is configured to allow 1000 maximum sessions with allow overflow enabled. In this scenario, you are allowed 3000 maximum sessions, plus overflow, which could cause the application server to run out of memory and heap dump.
- Configure session management at the application server level. In other words, ensure applications do not have override session management enabled.
- Disable allow overflow and to configure a reasonable maximum sessions value.
- Configure the distributed environment to store excessive sessions in a database or to replicate the sessions to a different application server. With this type of configuration, once the maximum session count has been reached (1000 in these examples) then new sessions would be stored in memory on the application server and the oldest, unused sessions would be stored in the database or replicated to a different application server.
- If storing session in a database, having a dedicated database for the sessions is ideal, so that performance isn't impacted by read/write requests to the database by other systems.
You may want to consider creating a template application server that has allow overflow disabled or that is configured to store excessive sessions in a database or on a different application server, so that when new application servers are created, they will be configured in a way that helps to prevent the application server from having an out of memory situation.