Impact of not invalidating session

[Daniel M Garland <da...@titanemail.com>]

Hi all,

I decided to override the StaleSession page in Tapestry. Since the 
requirements of my app don't really require the session to timeout for 
any security reasons (e.g. to force a login) I thought I may as well 
have a custom page that simply pings the user back to the homepage.

Looking at the code for the StaleSession page though, it forces the 
HttpSesssion to invaldiate. To my mind, I don't really need to do this 
since the stale session page would only be called if an active user 
returned to a page after a period of inactivity- in which case I may as 
well keep the minimal amount of information and not force the session to 
invalidate.

I was wondering however what the impact of this is because I want 
Tapestry to invalidate sessions that have been left inactive so that I 
don't clog up the server with dead sessions. So basically my question is 
if I don't have the StaleSession page force the sesison to invalidate 
will I keep *every* dead session on the server?

TIA
Dan


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-user-help@jakarta.apache.org

Re: Impact of not invalidating session

[Daniel M Garland <da...@titanemail.com>]

OK in other words does Tapestry invalidate the session for me anywhere else?

Dan

Daniel M Garland wrote:
> Hi all,
> 
> I decided to override the StaleSession page in Tapestry. Since the 
> requirements of my app don't really require the session to timeout for 
> any security reasons (e.g. to force a login) I thought I may as well 
> have a custom page that simply pings the user back to the homepage.
> 
> Looking at the code for the StaleSession page though, it forces the 
> HttpSesssion to invaldiate. To my mind, I don't really need to do this 
> since the stale session page would only be called if an active user 
> returned to a page after a period of inactivity- in which case I may as 
> well keep the minimal amount of information and not force the session to 
> invalidate.
> 
> I was wondering however what the impact of this is because I want 
> Tapestry to invalidate sessions that have been left inactive so that I 
> don't clog up the server with dead sessions. So basically my question is 
> if I don't have the StaleSession page force the sesison to invalidate 
> will I keep *every* dead session on the server?
> 
> TIA
> Dan
> 
> 
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email 
> ______________________________________________________________________
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tapestry-user-help@jakarta.apache.org
> 
> 
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email 
> ______________________________________________________________________
> 
> 


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-user-help@jakarta.apache.org