SERVLET.HVR

HttpSession variables should be released when finished

Description

This rule flags HttpSession objects that are not released when they are finished.

HttpSession objects live inside the WebSphere servlet engine until:

• The application explicitly and programmatically releases it using the API, javax.servlet.http.HttpSession.invalidate ()
• WebSphere Application Server destroys the allocated HttpSession when it expires (by default, after 1800 seconds or 30 minutes). WebSphere Application can only maintain a certain number of HttpSessions in memory. When this limit is reached, WebSphere Application Server serializes and swaps the allocated HttpSession to disk. In a high volume system, the cost of serializing many abandoned HttpSessions can be quite high.

Example

 package SERVLET;
 import javax.servlet.*;
 import javax.servlet.http.*;
 
 public class HVR {
     // violation, no javax.servlet.http.HttpSession.invalidate() is
//called.
     public void incorrectSession (HttpServletRequest request) {
         HttpSession mySession = request.getSession (false);
         String id = mySession.getId ();
         System.out.println ("HttpSession id = " +id);
     }
 }

Repair

Call javax.servlet.http.HttpSession.invalidate() when finished.

 
     public void correctSession (HttpServletRequest request) {
         HttpSession mySession = request.getSession (false);
         // do something.
 
         if (mySession != null) {
             mySession.invalidate ();
         }
     }

Reference

IBM WebSphere Application Server Standard and Advanced Editions, Harvey W. Gunther.

http://www-4.ibm.com/software/webservers/appserv/ws_bestpractices.pdf