In the default configuration, EAServer validates a client’s HTTP session during each request. In a clustered deployment, session validation is more resource intensive since EAServer stores the session in a database or using a replicated cache. If you enable lazy validation, EAServer validates the session only when a servlet or JSP calls ServletRequest.getSession() or ServletRequest.getSession(boolean). To enable this setting, set the com.sybase.jaguar.webapplication.lazydistributedhttpsessionvalidation Web application property to true.
Lazy validation can improve performance. However, enabling lazy authentication has the following side effects:
The last-accessed-time session attribute is set only when the servlet or JSP accesses the session. Consequently, the session may expire sooner than expected if the client accesses only static pages or servlets and JSPs that do not access the session data.
When the session is invalidated, the client is not assigned a new session until they request a page that requires a session.
The client’s security credentials (if any) are available only to JSPs and servlets that are marked protected via the security constraints property. Other pages cannot retrieve the client’s credentials—the ServletRequest.getUserPrincipal() method returns null even though the client is logged in.
