Newbie: Session timeout strategy; opinions?

[bOOyah <bo...@nowhere.org>]

Howdy

I've been dwelling on what I originally thought was a no-brainer, but 
now I'm not so sure.

I have a web app which, for its first release, does not need to cater 
for user logins; anyone can fire it up and get on with using it. 
Consequently, I decided that disabling session timeouts altogether was 
probably the best thing to do (thus my parallel posting elsewhere on 
this mailing list).

But I get the impression that infinite sessions are a 'bad thing'.  So 
what's the best strategy?  For example, should I implement checking the 
user's session in every Action (probably creating a custom 
superclass.execute() to verify the session with every call, before 
passing control to the concrete Action subclass)?  Or should I use a 
servlet filter?  Or is there a better way of doing this?

Thanks for any help.
-- 
bOOyah


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: Newbie: Session timeout strategy; opinions?

[Hernan Soulages <he...@epidataconsulting.com>]

Doesn't the session end by any other reason than a timeout?  How does the
server keep session over client shutdown?
> Just for the sake of the server and memory usage I'd say infinite sessions
> are
> certainly bad.
>
> I would suggest setting your session timeout to something reasonable based
> on
> your usage. What kind of app is it? Does it lend itself to quick 5-min
> usage
> (in which case I'd set the timeout to 30mins) or is it the type of app you
> use for hours and then come back to? (like a research tool) in which case
> I'd
> set the timeout to 2-4hours or something along those lines. But I'd look
> into
> saving some state (if possible) in a cookie on the clients machine, so
> when
> they come back (maybe after sleeping) they can keep working and don't have
> to
> go back through a number of motions to reinit their session (i.e. load up
> list values, populate tables, etc.)
>


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: Newbie: Session timeout strategy; opinions?

[bOOyah <bo...@nowhere.org>]

Riyad Kalla wrote:

> Just for the sake of the server and memory usage I'd say infinite sessions are 
> certainly bad.
Yep, that's what I have read too.  However, there will be a pretty small 
user base for my app (I'm not developing Amazon v2!).  So server 
requirements should be quite modest compared to 'normal' J2EE apps.

> I would suggest setting your session timeout to something reasonable based on 
> your usage. What kind of app is it? Does it lend itself to quick 5-min usage 
> (in which case I'd set the timeout to 30mins) or is it the type of app you 
> use for hours and then come back to? (like a research tool) in which case I'd 
> set the timeout to 2-4hours or something along those lines.
It can be used either way really.

> saving some state (if possible) in a cookie on the clients machine, so when 
> they come back (maybe after sleeping) they can keep working and don't have to 
> go back through a number of motions to reinit their session (i.e. load up 
> list values, populate tables, etc.)
That's the kind of behaviour I'm after.  But when their session expires, 
won't the data in that cookie be invalidated?  Then they would have to 
reinit their session like you've described.

-- 
bOOyah

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: Newbie: Session timeout strategy; opinions?

[bOOyah <bo...@nowhere.org>]

Riyad Kalla wrote:

> Just for the sake of the server and memory usage I'd say infinite sessions are 
> certainly bad.
Yep, that's what I have read too.  However, there will be a pretty small 
user base for my app (I'm not developing Amazon v2!).  So server 
requirements should be quite modest compared to 'normal' J2EE apps.

> I would suggest setting your session timeout to something reasonable based on 
> your usage. What kind of app is it? Does it lend itself to quick 5-min usage 
> (in which case I'd set the timeout to 30mins) or is it the type of app you 
> use for hours and then come back to? (like a research tool) in which case I'd 
> set the timeout to 2-4hours or something along those lines.
It can be used either way really.

> saving some state (if possible) in a cookie on the clients machine, so when 
> they come back (maybe after sleeping) they can keep working and don't have to 
> go back through a number of motions to reinit their session (i.e. load up 
> list values, populate tables, etc.)
That's the kind of behaviour I'm after.  But when their session expires, 
won't the data in that cookie be invalidated?  Then they would have to 
reinit their session like you've described.

-- 
bOOyah


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: Newbie: Session timeout strategy; opinions?

[Riyad Kalla <rs...@email.arizona.edu>]

Just for the sake of the server and memory usage I'd say infinite sessions are 
certainly bad.

I would suggest setting your session timeout to something reasonable based on 
your usage. What kind of app is it? Does it lend itself to quick 5-min usage 
(in which case I'd set the timeout to 30mins) or is it the type of app you 
use for hours and then come back to? (like a research tool) in which case I'd 
set the timeout to 2-4hours or something along those lines. But I'd look into 
saving some state (if possible) in a cookie on the clients machine, so when 
they come back (maybe after sleeping) they can keep working and don't have to 
go back through a number of motions to reinit their session (i.e. load up 
list values, populate tables, etc.)

On Monday 26 April 2004 02:30 pm, bOOyah wrote:
> Howdy
>
> I've been dwelling on what I originally thought was a no-brainer, but
> now I'm not so sure.
>
> I have a web app which, for its first release, does not need to cater
> for user logins; anyone can fire it up and get on with using it.
> Consequently, I decided that disabling session timeouts altogether was
> probably the best thing to do (thus my parallel posting elsewhere on
> this mailing list).
>
> But I get the impression that infinite sessions are a 'bad thing'.  So
> what's the best strategy?  For example, should I implement checking the
> user's session in every Action (probably creating a custom
> superclass.execute() to verify the session with every call, before
> passing control to the concrete Action subclass)?  Or should I use a
> servlet filter?  Or is there a better way of doing this?
>
> Thanks for any help.

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org