Zap Proxy java keeps reference to deleted sessions

9 views
Skip to first unread message

Sampo Kivistö

unread,
Jan 7, 2026, 5:22:03 AM (3 days ago) Jan 7
to ZAP User Group

I am experiencing an issue when running zap_proxy headless continuously on my machine.

What ends up happening is that deleted sessions are not freed from the system memory disk space.

This is Ubuntu 24.04 OS, ZAP Proxy [w2025-12-29]

df -h Filesystem Size Used Avail Use% Mounted on /dev/root 29G 29G 740K 100% /

The following command shows the real usage of the disk is nowhere near full:

sudo du -h --max-depth=1 / | sort -h

0 /dev 0 /proc 0 /sys 4.0K /bin.usr-is-merged 4.0K /lib.usr-is-merged 4.0K /media 4.0K /mnt 4.0K /sbin.usr-is-merged 4.0K /srv 8.0K /snap 16K /lost+found 1.1M /tmp 7.2M /etc 120M /boot 297M /run 427M /root 677M /opt 1.4G /home 2.2G /var 2.4G /usr 7.4G /

When I look into deleted files, however, I can see most of the disk space is gone to old deleted sessions:

sudo lsof +L1 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NLINK NODE NAME java 665 root 41u REG 259,1 39426457600 0 524299 /root/.ZAP_D/session/untitled5.data (deleted) java 665 root 237u REG 259,1 32168952 0 524301 /root/.ZAP_D/session/untitled5.backup (deleted)

That folder does not have the old session files:

~/.ZAP_D/session# ls --all . .. untitled81.data untitled81.lck untitled81.log untitled81.properties untitled81.script untitled81.tmp

I am repeatedly calling APIs:

  • alert/action/deleteAllAlerts
  • core/action/deleteAllHistory
  • JSON/core/action/newSession?overwrite=true

This is the config:

-loglevel error \ -port 3095 \ -config database.newsession=false \ -config database.autosave=false \ -config database.recovery=false \ -config database.autodelete=true \ -config proxy.timeout=240000 \ -config connection.timeoutInSecs=240 \ -config api.key=asd \ -config server.cert=/home/sampo/Documents/test_data/zap_cert.pem \ -config server.privatekey=/home/sampo/Documents/test_data/zap_key.pem \ -config autoupdate.checkOnStart=false \ -config autoupdate.installAddonUpdates=false \ -config autoupdate.downloadNewRelease=false \ -config autoupdate.downloadNewBeta=false \ -config autoupdate.downloadNewAlpha=false \

I would like to disable the disk storage if anyhow possible and still retrieve the found issues using the passive proxy scanner.

Steps to reproduce the behavior:
  1. Start headless proxy
  2. Run it for a long time and call APIs:
    • alert/action/deleteAllAlerts
    • core/action/deleteAllHistory
    • JSON/core/action/newSession?overwrite=true
  3. Deleted files take disk space
Expected behavior:

When a session is deleted, its held file references should be removed to free disk space
— or —
Allow disabling disk storing altogether

Software Versions:

w2025-12-29

Simon Bennetts

unread,
Jan 7, 2026, 10:51:57 AM (3 days ago) Jan 7
to ZAP User Group
I'm afraid that ZAP is not designed to be a long running service.
If you can work out a way that it can work for you then great, but this is not a supported option.
In automation we recommend starting new ZAP instances instead of keeping one instance open for a long period of time.

Cheers,

Simon
Reply all
Reply to author
Forward
0 new messages