You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by bOOyah <bo...@nowhere.org> on 2004/04/26 23:30:18 UTC
Newbie: Session timeout strategy; opinions?
Howdy
I've been dwelling on what I originally thought was a no-brainer, but
now I'm not so sure.
I have a web app which, for its first release, does not need to cater
for user logins; anyone can fire it up and get on with using it.
Consequently, I decided that disabling session timeouts altogether was
probably the best thing to do (thus my parallel posting elsewhere on
this mailing list).
But I get the impression that infinite sessions are a 'bad thing'. So
what's the best strategy? For example, should I implement checking the
user's session in every Action (probably creating a custom
superclass.execute() to verify the session with every call, before
passing control to the concrete Action subclass)? Or should I use a
servlet filter? Or is there a better way of doing this?
Thanks for any help.
--
bOOyah
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Newbie: Session timeout strategy; opinions?
Posted by Hernan Soulages <he...@epidataconsulting.com>.
Doesn't the session end by any other reason than a timeout? How does the
server keep session over client shutdown?
> Just for the sake of the server and memory usage I'd say infinite sessions
> are
> certainly bad.
>
> I would suggest setting your session timeout to something reasonable based
> on
> your usage. What kind of app is it? Does it lend itself to quick 5-min
> usage
> (in which case I'd set the timeout to 30mins) or is it the type of app you
> use for hours and then come back to? (like a research tool) in which case
> I'd
> set the timeout to 2-4hours or something along those lines. But I'd look
> into
> saving some state (if possible) in a cookie on the clients machine, so
> when
> they come back (maybe after sleeping) they can keep working and don't have
> to
> go back through a number of motions to reinit their session (i.e. load up
> list values, populate tables, etc.)
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Newbie: Session timeout strategy; opinions?
Posted by bOOyah <bo...@nowhere.org>.
Riyad Kalla wrote:
> Just for the sake of the server and memory usage I'd say infinite sessions are
> certainly bad.
Yep, that's what I have read too. However, there will be a pretty small
user base for my app (I'm not developing Amazon v2!). So server
requirements should be quite modest compared to 'normal' J2EE apps.
> I would suggest setting your session timeout to something reasonable based on
> your usage. What kind of app is it? Does it lend itself to quick 5-min usage
> (in which case I'd set the timeout to 30mins) or is it the type of app you
> use for hours and then come back to? (like a research tool) in which case I'd
> set the timeout to 2-4hours or something along those lines.
It can be used either way really.
> saving some state (if possible) in a cookie on the clients machine, so when
> they come back (maybe after sleeping) they can keep working and don't have to
> go back through a number of motions to reinit their session (i.e. load up
> list values, populate tables, etc.)
That's the kind of behaviour I'm after. But when their session expires,
won't the data in that cookie be invalidated? Then they would have to
reinit their session like you've described.
--
bOOyah
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Newbie: Session timeout strategy; opinions?
Posted by bOOyah <bo...@nowhere.org>.
Riyad Kalla wrote:
> Just for the sake of the server and memory usage I'd say infinite sessions are
> certainly bad.
Yep, that's what I have read too. However, there will be a pretty small
user base for my app (I'm not developing Amazon v2!). So server
requirements should be quite modest compared to 'normal' J2EE apps.
> I would suggest setting your session timeout to something reasonable based on
> your usage. What kind of app is it? Does it lend itself to quick 5-min usage
> (in which case I'd set the timeout to 30mins) or is it the type of app you
> use for hours and then come back to? (like a research tool) in which case I'd
> set the timeout to 2-4hours or something along those lines.
It can be used either way really.
> saving some state (if possible) in a cookie on the clients machine, so when
> they come back (maybe after sleeping) they can keep working and don't have to
> go back through a number of motions to reinit their session (i.e. load up
> list values, populate tables, etc.)
That's the kind of behaviour I'm after. But when their session expires,
won't the data in that cookie be invalidated? Then they would have to
reinit their session like you've described.
--
bOOyah
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Newbie: Session timeout strategy; opinions?
Posted by Riyad Kalla <rs...@email.arizona.edu>.
Just for the sake of the server and memory usage I'd say infinite sessions are
certainly bad.
I would suggest setting your session timeout to something reasonable based on
your usage. What kind of app is it? Does it lend itself to quick 5-min usage
(in which case I'd set the timeout to 30mins) or is it the type of app you
use for hours and then come back to? (like a research tool) in which case I'd
set the timeout to 2-4hours or something along those lines. But I'd look into
saving some state (if possible) in a cookie on the clients machine, so when
they come back (maybe after sleeping) they can keep working and don't have to
go back through a number of motions to reinit their session (i.e. load up
list values, populate tables, etc.)
On Monday 26 April 2004 02:30 pm, bOOyah wrote:
> Howdy
>
> I've been dwelling on what I originally thought was a no-brainer, but
> now I'm not so sure.
>
> I have a web app which, for its first release, does not need to cater
> for user logins; anyone can fire it up and get on with using it.
> Consequently, I decided that disabling session timeouts altogether was
> probably the best thing to do (thus my parallel posting elsewhere on
> this mailing list).
>
> But I get the impression that infinite sessions are a 'bad thing'. So
> what's the best strategy? For example, should I implement checking the
> user's session in every Action (probably creating a custom
> superclass.execute() to verify the session with every call, before
> passing control to the concrete Action subclass)? Or should I use a
> servlet filter? Or is there a better way of doing this?
>
> Thanks for any help.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org