Following up on this old Javalin - Jetty Session Tracking post. At the end of that post, I mentioned “one final catch”, wherein I needed to explicitly run ctx.req.getSession() in order to start logging session data to my relational jettysessions table. That was due to my lack of understanding about some of the configuration options which are provided by Jetty.

For Jetty 9, you can find an overview here: Session Management.

And the equivalent in Jetty 10: HTTP Session Management.

Some key Jetty 9 classes are:

Some key settings include the following:

Jetty Class Setting Notes
SessionHandler setMaxInactiveInterval Integer. Sets the session timeout interval in seconds (i.e. the period of inactivity).
SessionHandler setHttpOnly Boolean. True if session cookies should only use HTTP. (see HTTP cookies.)
SessionCache setSaveOnCreate Boolean. Whether or not a session that is newly created should be immediately saved. If false, a session that is created and invalidated within a single request is never persisted.
SessionCache setFlushOnResponseCommit Boolean. If true, a dirty (i.e. changed) session will be written to the SessionDataStore just before a response is returned to the client.
SessionCache setInvalidateOnShutdown Boolean. If true, all existing sessions in the cache will be invalidated when the server shuts down. Default is false.
HouseKeeper setIntervalSec Integer. Period in seconds between runs of the session scavenger (10 minutes by default).

So, for example, a session handler method might look like this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
private static SessionCache sessionCache = null;

public static SessionHandler create() {
    SessionHandler sessionHandler = new SessionHandler();

    sessionCache = new DefaultSessionCache(sessionHandler);
    sessionCache.setSessionDataStore(getJdbcDataStoreFactory(sessionHandler)
            .getSessionDataStore(sessionHandler));

    // the default is to persist the session on exit, not on create:
    sessionCache.setSaveOnCreate(true); // default is false
    // write changes to the data store as they happen:
    sessionCache.setFlushOnResponseCommit(true); // default is false
    // ensure sessions do not survive a server shutdown:
    sessionCache.setInvalidateOnShutdown(true); // default is false

    sessionHandler.setSessionCache(sessionCache);
    // cookie is sent only to the same site that originated it:
    sessionHandler.setSameSite(HttpCookie.SameSite.STRICT);
    // ensure the cookie cannot be accessed by client-side JavaScript:
    sessionHandler.setHttpOnly(true);
    // ensure the cookie can only be sent to the server via https,
    // (except for a localhost server, where http is permitted):
    sessionHandler.setSecureRequestOnly(true);
    // set timeout interval for unattended sessions:
    sessionHandler.setMaxInactiveInterval(90 * 60); // seconds

    return sessionHandler;
}

Also remember that classes which are going to be stored in sessions need to implement Serializable. For example, a javabean representing a user (avoiding any sensitive data, for security).