File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes Session Timeout Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "Session Timeout" Watch "Session Timeout" New topic
Author

Session Timeout

Fisher Daniel
Ranch Hand

Joined: Sep 14, 2001
Posts: 582
Dear all,
What is the advantage and disadvantage using session timeout?
thanks
daniel
Jessica Sant
Sheriff

Joined: Oct 17, 2001
Posts: 4313

Lots of different reasons for it, here's two to start getting you thinkin':
...Maybe you've got a shopping cart application -- a user comes by and puts all this stuff in their shopping cart (LOTS AND LOTS of stuff). And then they decide they don't want to buy it, so they just close their browser.
Now your application is storing all this session information -- and ALL that stuff they put in thier shopping cart after they rudely shut their browser without even letting you know!! Ahhh... but no worries -- you implemented a session timeout of 1 hour, so after that hour, your appserver will invalidate the session, dump all that data and reclaim some memory.
Can you imagine how much memory would be locked up if your sessions NEVER expired??
... On the other hand maybe your web app is used by the customer service department at your company to log support calls as they come in. They're not THAT busy -- so sometimes there's a couple hours between when they make entries into the app.
Can you imagine how annoying it would be if EVERY time they had to make an entry into the system they had to login 'cause the system kept invalidating their session and logging them out (over and over and over throughout the week). Luckily -- there's not much of a security risk, and you're not storing much info in the session (not enough that it'll take up much memory...) so you can set the timeout to -1 without any problem.
does that help explain the need for it a bit?
[ February 22, 2003: Message edited by: Jessica Sant ]

- Jess
Blog:KnitClimbJava | Twitter: jsant | Ravelry: wingedsheep
Fisher Daniel
Ranch Hand

Joined: Sep 14, 2001
Posts: 582
Thanks Jessica for your explanation....
According to your example about shopping chart, the users can cancel his/her activity.
If users do that, i think our program should remove his/her session from the memory.
And if users dont do anything in a period time, the container will remove his/her session from the memory automatically...
Is it true?
thanks
daniel
Jessica Sant
Sheriff

Joined: Oct 17, 2001
Posts: 4313

yup -- if the user actually takes the time to click "cancel order" -- the shopping cart program should call session.invalidate(). If they don't (and a lot of people won't -- you can have your session timeout configured so it will automatically log them out after a specified period of time.
You just want to make sure that time is long enough that the user won't accidently get kicked out and lose their shopping cart info. (Like -- 10 minutes would be WAY too short... someone could reasonably wait 10 minutes before they're done with their cart activities.... but its pretty unlikely that someone will wait 2 hours and expect their shopping cart to still be there.)
Ke Liu
Ranch Hand

Joined: Feb 15, 2003
Posts: 143
I think that the main advantage using session timeout is security.


SCJP,SCWCD,SCBCD
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Session Timeout