Jetty version(s)
12.0.17

Jetty Environment
ee10

Java version/vendor (use: java -version)
openjdk version "17.0.15" 2025-04-15
OpenJDK Runtime Environment Temurin-17.0.15+6 (build 17.0.15+6)
OpenJDK 64-Bit Server VM Temurin-17.0.15+6 (build 17.0.15+6, mixed mode, sharing)

OS type/version
Rocky Linux release 9.5 (Blue Onyx)

Description

Environment:

• Embedded Jetty ee10 in our application
• Session stack: DefaultSessionCache + NullSessionDataStore
• Production traffic is primarily HTTP/2

After upgrading to Jetty 12, we see a accumulation of ManagedSession instances in DefaultSessionCache. Heap dumps show thousands of sessions remaining in VALID state even though their lastAccessed timestamps are weeks in the past and maxInactiveMs is 600_000 (10 minutes). A common property of all leaked sessions is that their sessionInactivityTimer is set to Long.MAX_VALUE, which appears to prevent the HouseKeeper from ever expiring them. Over several months of uptime, about 6,000 such sessions accumulate. This behavior is only observed on Jetty 12; Jetty 11 behaves correctly with the same application and traffic pattern.

How to reproduce?

We cannot reproduce this in our lab/test environment; in lab, sessions are consistently expired and removed as expected.