You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by Daniel M Garland <da...@titanemail.com> on 2005/09/24 17:46:28 UTC
Impact of not invalidating session
Hi all,
I decided to override the StaleSession page in Tapestry. Since the
requirements of my app don't really require the session to timeout for
any security reasons (e.g. to force a login) I thought I may as well
have a custom page that simply pings the user back to the homepage.
Looking at the code for the StaleSession page though, it forces the
HttpSesssion to invaldiate. To my mind, I don't really need to do this
since the stale session page would only be called if an active user
returned to a page after a period of inactivity- in which case I may as
well keep the minimal amount of information and not force the session to
invalidate.
I was wondering however what the impact of this is because I want
Tapestry to invalidate sessions that have been left inactive so that I
don't clog up the server with dead sessions. So basically my question is
if I don't have the StaleSession page force the sesison to invalidate
will I keep *every* dead session on the server?
TIA
Dan
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-user-help@jakarta.apache.org
Re: Impact of not invalidating session
Posted by Daniel M Garland <da...@titanemail.com>.
OK in other words does Tapestry invalidate the session for me anywhere else?
Dan
Daniel M Garland wrote:
> Hi all,
>
> I decided to override the StaleSession page in Tapestry. Since the
> requirements of my app don't really require the session to timeout for
> any security reasons (e.g. to force a login) I thought I may as well
> have a custom page that simply pings the user back to the homepage.
>
> Looking at the code for the StaleSession page though, it forces the
> HttpSesssion to invaldiate. To my mind, I don't really need to do this
> since the stale session page would only be called if an active user
> returned to a page after a period of inactivity- in which case I may as
> well keep the minimal amount of information and not force the session to
> invalidate.
>
> I was wondering however what the impact of this is because I want
> Tapestry to invalidate sessions that have been left inactive so that I
> don't clog up the server with dead sessions. So basically my question is
> if I don't have the StaleSession page force the sesison to invalidate
> will I keep *every* dead session on the server?
>
> TIA
> Dan
>
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tapestry-user-help@jakarta.apache.org
>
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
>
>
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-user-help@jakarta.apache.org