dsNamNam1

ATG Session Management

Managing Multiple ATG Web Applications

Summary
ATG Commerce relies on third party application servers such as Red Hat JBoss, IBM
WebSphere or Oracle / BEA Weblogic Application Servers to manage the web session. This
white paper discusses how to manage sessions for multiple ATG web server applications on
third-party application servers.

Session Management Key Concepts

Before we begin, there are some key things to define and explain:

First is that the J2EE specification defines that each web application has its own
session object and any attributes added to the session are only accessible from
within that same web application. Each application server may or may not offer
some form of session sharing where you can access the session data from multiple
web-apps, but that doesn't concern us since we are app server agnostic and can't
depend on that always being a feature.
Next is the fact that a session's life cycle is wholly managed by the application
server. It is the one that generates a unique session id, creates the session,
invalidates it, fails it over, etc. When we talk about ATG sessions, we are really
talking about a wrapper around the underlying session which acts as a root for
session scoped components. Remember that Nucleus components live within a
tree, and there are multiple scopes with each scope being rooted at a particular
component. The root for session scoped components is at:
/atg/dynamo/servlet/sessiontracking/GenericSessionManager/<sessionid>/ where
<sessionid> is some ID generated by the application server.

Session Management with Multiple Web Applications

When multiple web-applications exist in the ATG BigEar, only one of them must be
designated as the parent web-application. Being the parent means that this web-app's
session id will be used as the basis for creating the Nucleus session scope root. Out of the
box, the DafEar\base\j2ee-components\atg-bootstrap.war is the parent application with a
context root of /dyn. You don't have to do anything special to use it, but its a good idea for
all your web applications to define the atg.session.parentContextName and
atg.dafear.bootstrapContextName parameters in their web.xml to point to the parent webapplication:
<context-param>
<param-name>atg.session.parentContextName</param-name>
<param-value>/dyn</param-value>
</context-param>
<context-param>
<param-name>atg.dafear.bootstrapContextName</param-name>
<param-value>/dyn</param-value>
<description>The name of the DAF bootstrap WAR
context.</description>
</context-param>

ATG Session Management | 2

With that information in mind, lets look at how this all works:

When a request comes in without a session id in the cookie or in the URL, the
application server creates a new session for the particular web-app that is being
requested.
The ATG code to initialize the ATG session context is invoked one of the following
ways:
o NucleusProxyServlet: Request for JHTML pages and Administration UI
o PageFilter: For any URLs where the filter is mapped (e.g. *.jsp)
o DSP PageTag: Any JSP pages that use the DSP taglib and use the
<dsp:page> tag around the body of the page
o Servlets: Any servlet that extends the atg.servlet.DynamoServlet
One of these mechanisms must be used to initalize the ATG components correctly.
Getting access to ATG functionality in a request outside the context of one of these
methods (like using ServletUtil.getDynamoRequest()) can lead to unexpected
behavior.
The ATG code first determines if the session has been failed over and ATG session
restoration needs to happen (to be described later), or if this is a new session
If the request is for the parent web application, the session context is created with
the current session id.
If the request is for a child web application, the parent web app's session id must
be resolved.
Some application servers maintain a single session id between web-apps for the
same client (browser) so this lookup is not required and the current session id is
used. This behavior is controlled via the
/atg/dynamo/servlet/sessiontracking/GenericSessionManager.singleSessionIdPer
User property which is automatically set in the DafEar submodule configuration
layer for the application server in use. Current values for 2007.1:
WebLogic: false
JBoss: false
WebSphere: true

When the value is true, the application server is using the same session id for all
web-apps so the lookup is not required.
If a lookup is required, an include of the
atg.nucleus.servlet.SessionNameContextServlet servlet (that should be defined in
the parent web-application) is done via a RequestDispatcher.include()call. The
SessionNameContextServlet does two things:
1. Sets the parent session id as a request attribute that can then be used by the
child web-app to bind to the correct session context.
2. For application servers that don't allow request attributes to be shared
between web-applications (earlier versions of JBoss), it also sets a cookie with
the session id. This behavior is controlled via the
/atg/dynamo/servlet/sessiontracking/GenericSessionManager.useSessionTrac
kingCookie property.
In either case (child or parent being requested) additional attributes are set in the
session so that the lookup doesn't have to happen for future requests. Specifically
the atg.parent.session.id attribute is set to the parent session id.
The new session scoped context (of type atg.servlet.SessionNameContext) should
now exist under the GenericSessionManager.
Because the ATG Nucleus components live outside the application server's session,
an atg.servlet.SessionBindingReporter object (which implements the
javax.servlet.http.HttpSessionBindingListener interface) is added to each web
application session as an attribute. According to the J2EE spec, this object must be
notified by the application server when the session is started (its valueBound
method invoked) or invalidated (its valueUnbound method invoked).
The SessionBindingReporter will increment a counter in the SessionNameContext
it belongs to. This counter (mNumWrappingNameContexts in
SessionNameContext) keeps track of the number of child web application session

ATG Session Management | 3

references to the Nucleus session scope. As each child web-app is requested, this
number will go up. The counter is decremented when a session is expired.
When the application server expires a session, either because of a user request (i.e.
session.invalidate() invoked) or due to a session timeout, it unbinds all the session
attributes and invokes the atg.servlet.SessionBindingReporter.valueUnbound()
method.
The valueUnbound decrements the SessionNameContext counter.
When the SessionNameContext.mNumWrappingNameContexts counter reaches
0, that means that all the child and parent web-app sessions have been expired
and it is safe for the ATG Nucleus session scope to be removed.

Things to keep in mind

Because the only link to the underlying session is through the SessionBindingReporter
attribute, session management is a common cause for memory leaks on third party
application servers. One such leak occurs on IBM WebSphere where in a clustered
environment, the session invalidation can occur in a different JVM instance than where
the session originated. This means that the valueUnbound will not be invoked on the
JVM where the ATG session scope resides which results in those objects never getting
removed.

About ATG
ATG makes the software and delivers the on demand solutions that the world's most customer-conscious companies use to power their e-commerce web
sites, attract prospects, convert them to buyers and ensure their satisfaction so they become loyal, repeat, profitable customers. Our e-commerce suite is
ranked the #1 current offering and #1 in strategy by the industry's most influential analyst firms, and powers more of the top 300 internet retailers than
any other vendor. Our eStara brand provides customer interaction solutions to enhance conversions and customer support, and delivers the world's most
widely used click-to-call service. ATG's solutions are used by over 900 major brands, including Amazon, American Eagle Outfitters, AOL, AT&T, Best Buy,
B&Q Cabela's, Carrefour, Cingular, Coca Cola, Continental Airlines, CVS, Dell, DirecTV, El Corte Ingles, Expedia, France Telecom, Harvard Business School
Publishing, Hewlett-Packard, Hilton, HSBC, Intuit, J. Crew, Macy's, Meredith, Microsoft, Neiman Marcus, New York & Company, Nokia, OfficeMax, PayPal,
Philips, Procter & Gamble, Sears, Sony, Symantec, Target, T-Mobile, Urban Outfitters, Verizon, Viacom, Vodafone and Walgreens.
To learn more about ATG, visit atg.com or call 1-800-RING-ATG.
2008 Art Technology Group, Inc. ATG, Art Technology Group and the ATG logo are registered trademarks of Art Technology Group. All other trademarks
are the property of their respective holders. NASDAQ: ARTG