javax.servlet.http.HttpSession provides a way to identify an user across multiple HTTP requests and to store user specified information. In other words, it provides a support of stateful communications with the stateless HTTP protocol. For security and memory management, sessions need to be invalidated at a certain time. There are two related methods inHttpSession

HttpSession.invalidate()

By invoking invalidate(), the session will be invalidated immediately. This is useful for the case such as logout. 

HttpSession.setMaxInactiveInterval(int interval)

The method setMaxInactiveInterval(int interval) allows us to configure the time (in seconds) between client requestsbefore the servlet container will invalidate the session. That is, an idle session will be invalidated afterthe specified time. In GlassFish 4.0 (and earlier versions), there is a reaper thread for cleaning invalidated HttpSession periodically with a specific reap interval (reapInterval). Let rtpt(s) be the time interval between the reaper process starts and the given sessions is processed. Then we have the following inequalities: maxInactiveInterval + rtpt(s) <= invalidatedTime(s) <= maxInactiveInterval + reapInterval + rtpt(s) In general, rtpt(s) is small. We would like to configure the reap interval. By default, the reap interval (reapInterval) is 60 seconds and it can be configured as follows: 
  • in server level: asadmin set configs.config.server-config.web-container.session-config.session-manager.manager-properties.reap-interval-in-seconds=10
  • in application level: We can specify a configuration inglassfish-web.xml as follows: <!DOCTYPE glassfish-web-app PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Servlet 3.0//EN" "http://glassfish.org/dtds/glassfish-web-app_3_0-1.dtd"> <glassfish-web-app> <session-config> <session-manager> <manager-properties> <property name="reapIntervalSeconds" value="10"/> </manager-properties> </session-manager> </session-config> </glassfish-web-app>