Sessions not removed from heap after expiration in EAP 7.4.0+

Environment

• JBoss Enterprise Application Platform (EAP) 7.4.0+

Issue

• After upgrading to EAP 7.4.0+, we see idle sessions pass their idle timeout but they are not removed from heap after their expiration.
• Java 8

Resolution

• For shared session configs not requiring replication, set the shared-session-config to a 2.0 schema instead of 1.0 so that it uses an Undertow InMemorySession manager instead of the infinispan cache impacted by this issue:

<jboss umlns="urn:jboss:1.0">
    <shared-session-config xmlns="urn:jboss:shared-session-config:2.0">
        <session-config>
        <session-timeout>5</session-timeout>    
            <cookie-config>
                <path>/</path>
            </cookie-config>
        </session-config>
    </shared-session-config>
</jboss>

• For replication use cases, consider removing the <distributable/> flag as a temporary workaround
• Upgrade to EAP 7.4.12+
• Upgrade to java 11+ as a solution. The issue occurs with java 8 from improper timestamp checks that allow the session to skip its expiration if two specific operations within the expiration check occurred in the same ms. Java 11 improved the involved clocks precision to nanoseconds so the issue occurrence is not possible if running with java 11 instead of java 8.

Root Cause

• This is introduced in EAP 7.4.0+ from This content is not included.WFLY-12581 changes to impact session expiration of applications using shared session configs or the flag
• This content is not included.JBEAP-24841

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.