The present invention relates to computer systems and software and more particularly to a method and system for increasing server capacity via expedited session invalidation.
In web-based applications, a user interface may be displayed in a web browser but the data used to generate the hypertext makeup language (HTML) page is maintained on the web server. Because hypertext transfer protocol (HTTP) is a connectionless protocol, the web server is unaware when the user has closed the browser window. Anticipating that the user may initiate another request, the web server will keep the user's data associated with a session in memory even though the data may no longer be useful if the user has closed his browser window or accessed another web site. Maintaining this data in memory decreases the amount of memory available to other users of the web server and may result in a memory leak or loss of data associated with other active users.
One technique of minimizing the possibility of a memory leak or loss of data is to destroy the session data associated with a user when the last access time exceeds some predetermined time interval. Some web application servers may store user-specific application data in a session object. The session object maintains a record of the last access time by the user. If the last access time by the user exceeds some predetermined time interval, for example thirty minutes, a background thread on the web application server destroys the session object and returns the memory to a memory pool for use by other users. However, the memory is not immediately returned to the pool when no longer needed. Additionally, there may be times when the user does not interact with the application within the predetermined time interval but may still desire to keep the session established.
A “logout” button may also be provided in a web interface that will allow a user to explicitly signal the application server when the session in no longer needed. However, users may not understand the purpose of the button or may forget to click-on or operate the button before closing the browser or accessing another web site.
Additionally, if the session data is not destroyed or deleted when no longer needed, an unauthorized user may access the private session data. This type of attack may be carried out on a shared or unattended workstation when a user closes the main application window but does not close all browser windows. A sibling browser window that has remained open still retains the session key and can access the private session data. If another (unauthorized) user gains access to the sibling browser window before the session may timeout, the other user may gain access to all of the previous user's session data.