vaadin.closeIdleSessions vs vaadin.heartbeatInterval vs servlet.session.timeout

Thang.7 · September 14, 2024, 6:34pm

Below is my config in application property file for Vaadin flow 23, JDK 17:

server:
  servlet:
    session:
      timeout: 30m

vaadin:
  closeIdleSessions: true
  heartbeatInterval: 300 # 5 mins

Question is:

because of closeIdleSessions = true, vaadin heartbeat requests will not reset the servlet session ?. Meaning that if user is inactive in 30 minutes, then servlet session will be expired even heartbeat is sent every 5 mins ?
This effect is same for load balancer ? The TTL (time to live) of sticky session will not be effected by vaadin heartbeat ? Say if i set TTL = 15 mins for LB, then after 15 mins, the sticky session will be expired even heartbeat keeps sending to LB every 5 minutes ?

knoobie · September 14, 2024, 7:05pm

Is explained here in detail Vaadin Session Timeout / Heartbeats – Martin Vysny – First Principles Thinking (TL;DR “yes, but”)
It depends what your LB does and what TTL in their sense mean.

Thang.7 · September 15, 2024, 4:19am

Thanks @knoobie

I am using digitalocean LB with below config:

apiVersion: v1
kind: Service
metadata:
  name: iad-do-balancer
  annotations:
    service.beta.kubernetes.io/do-loadbalancer-protocol: "https"
    service.beta.kubernetes.io/do-loadbalancer-certificate-id: "12345" 
    service.beta.kubernetes.io/do-loadbalancer-redirect-http-to-https: "true"
    service.beta.kubernetes.io/do-loadbalancer-algorithm: "least_connections"
    kubernetes.digitalocean.com/load-balancer-id: "67890" 
    service.beta.kubernetes.io/do-loadbalancer-sticky-sessions-type: "cookies"
    service.beta.kubernetes.io/do-loadbalancer-sticky-sessions-cookie-name: "iad_prod_lb"
    service.beta.kubernetes.io/do-loadbalancer-sticky-sessions-cookie-ttl: "1800" # 1800 seconds

I set LB TTL = 30 mins and I set Spring boot session timeout 3h.

server:
  servlet:
    session:
      timeout: 3h

vaadin:
  closeIdleSessions: true
  heartbeatInterval: 300 # 5 mins

Result is that if user is inactive in 30 mins, session will timeout. But I expected session timeout only after 3h.

So, I suspected the issue is from the LB TTL timeout config.

knoobie · September 15, 2024, 4:37am

Well this name says it all. Without affinity the season of the user is possible rerouted to another pod - not destroying - but possible moving your user making him logout… No idea about best practices for ingress, but I would remove this setting or make it infinite. Let your application delete the sticky session cookie on logout.

Thang.7 · September 15, 2024, 5:02am

Right @knoobie

That why I want to check if vaadin heartbeat will reset LB TTL. If it does not, then after 30 mins, the subsequence requests may be routed to other pods causing UI session invalid → logout.
I am almost thinking about increasing TTL to a bigger value

Not sure if vaadin heartbeat uses Connection: keep-alive in http header ?

knoobie · September 15, 2024, 5:35am

You could just check the developers tab and inspect the traffic and even if it does not send it: you could easily configure spring to do so

Thang.7 · September 15, 2024, 5:40am

Thanks for advice. Will do a try