How to monitor and invalidate HTTP Sessions in WildFly

This article has been updated to show how to monitor and invalidate HTTP Sessions in WildFly application server / JBoss EAP using management instruments.

First of all, in order to gather statistics about HTTP sessions, you need to enable statistics on undertow subsystem You can do it from the CLI as follows:

/subsystem=undertow:write-attribute(name=statistics-enabled,value=true)

That being said, let’s start checking an example application which has been deployed and has 2 active sessions:

/deployment=example.war/subsystem=undertow:read-resource(include-runtime=true)
{
    "outcome" => "success",
    "result" => {
        "active-sessions" => 2,
        "context-root" => "/example",
        "expired-sessions" => 0,
        "highest-session-count" => 2,
        "max-active-sessions" => -1,
        "rejected-sessions" => 0,
        "server" => "default-server",
        "session-avg-alive-time" => 0,
        "session-max-alive-time" => 0,
        "sessions-created" => 2,
        "virtual-host" => "default-host",
        "servlet" => undefined,
        "websocket" => undefined
    }
}

In order to invalidate HTTP Sessions or check the Session attributes, we need to collect its Session id. This can be done programmaticaly at some point:

HttpSession session = request.getSession();
String sessionid = session.getId();

However you can list HTTP Sessions from the CLI as well:

/deployment=example.war/subsystem=undertow:list-sessions()
{
    "outcome" => "success",
    "result" => [
        "iD_2bXgNFzOa5vPQvDoDuwXr1cec94xn2k-OvRk6",
        "4Jj6Y9qem8vAm8WXT3UAqvApBBfFszMLLWRyUqrK"
    ]
}

With that value, we can invalidate the HTTP Session as follows:

/deployment=example.war/subsystem=undertow:invalidate-session(session-id=iD_2bXgNFzOa5vPQvDoDuwXr1cec94xn2k-OvRk6)

We can also check the list of attributes which have been added to the Session:

 /deployment=example.war/subsystem=undertow:list-session-attribute-names(session-id=k3Yp2uwWYDxWhCe7JhpKghrEsxE6Gyo9lZgFySWC)
{
    "outcome" => "success",
    "result" => ["name"]
}

That can be combined with the attribute’s values:

[standalone@localhost:9990 /] /deployment=example.war/subsystem=undertow:list-session-attributes(session-id=k3Yp2uwWYDxWhCe7JhpKghrEsxE6Gyo9lZgFySWC)
{
    "outcome" => "success",
    "result" => [("name" => "Frank")]
}

Monitoring and invalidating HTTP Sessions from WildFly Web Console

It is worth mentioning, that you can also collect statistics and invalidate HTTP Sessions from the Web Console.

You should select your deployment unit under “Runtime / Server / Web / Deployment”. The following UI shows the core HTTP Session statistics:

wildfly monitor inspect http sessions

To invalidate a HTTP Session, choose a deployment and select the “View” button. Within the available catgories (Sessions/Servlets/WebSockets), choose “Sessions“.

There, you can see all active sessions. Select a session to inspect HTTP session attributes. Also, you can invalidate a session by pressing “Invalidate Session“.

wildfly monitor inspect http sessions

 

That’s it.