Win a copy of Design for the Mind this week in the Design forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Session Timeout

 
Fisher Daniel
Ranch Hand
Posts: 582
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Dear all,
What is the advantage and disadvantage using session timeout?
thanks
daniel
 
Jessica Sant
Sheriff
Posts: 4313
Android IntelliJ IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Lots of different reasons for it, here's two to start getting you thinkin':
...Maybe you've got a shopping cart application -- a user comes by and puts all this stuff in their shopping cart (LOTS AND LOTS of stuff). And then they decide they don't want to buy it, so they just close their browser.
Now your application is storing all this session information -- and ALL that stuff they put in thier shopping cart after they rudely shut their browser without even letting you know!! Ahhh... but no worries -- you implemented a session timeout of 1 hour, so after that hour, your appserver will invalidate the session, dump all that data and reclaim some memory.
Can you imagine how much memory would be locked up if your sessions NEVER expired??
... On the other hand maybe your web app is used by the customer service department at your company to log support calls as they come in. They're not THAT busy -- so sometimes there's a couple hours between when they make entries into the app.
Can you imagine how annoying it would be if EVERY time they had to make an entry into the system they had to login 'cause the system kept invalidating their session and logging them out (over and over and over throughout the week). Luckily -- there's not much of a security risk, and you're not storing much info in the session (not enough that it'll take up much memory...) so you can set the timeout to -1 without any problem.
does that help explain the need for it a bit?
[ February 22, 2003: Message edited by: Jessica Sant ]
 
Fisher Daniel
Ranch Hand
Posts: 582
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Jessica for your explanation....
According to your example about shopping chart, the users can cancel his/her activity.
If users do that, i think our program should remove his/her session from the memory.
And if users dont do anything in a period time, the container will remove his/her session from the memory automatically...
Is it true?
thanks
daniel
 
Jessica Sant
Sheriff
Posts: 4313
Android IntelliJ IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
yup -- if the user actually takes the time to click "cancel order" -- the shopping cart program should call session.invalidate(). If they don't (and a lot of people won't -- you can have your session timeout configured so it will automatically log them out after a specified period of time.
You just want to make sure that time is long enough that the user won't accidently get kicked out and lose their shopping cart info. (Like -- 10 minutes would be WAY too short... someone could reasonably wait 10 minutes before they're done with their cart activities.... but its pretty unlikely that someone will wait 2 hours and expect their shopping cart to still be there.)
 
Ke Liu
Ranch Hand
Posts: 143
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think that the main advantage using session timeout is security.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic