posted 21 years ago
Lots of different reasons for it, here's two to start getting you thinkin':
...Maybe you've got a shopping cart application -- a user comes by and puts all this stuff in their shopping cart (LOTS AND LOTS of stuff). And then they decide they don't want to buy it, so they just close their browser.
Now your application is storing all this session information -- and ALL that stuff they put in thier shopping cart after they rudely shut their browser without even letting you know!! Ahhh... but no worries -- you implemented a session timeout of 1 hour, so after that hour, your appserver will invalidate the session, dump all that data and reclaim some memory.
Can you imagine how much memory would be locked up if your sessions NEVER expired??
... On the other hand maybe your web app is used by the customer service department at your company to log support calls as they come in. They're not THAT busy -- so sometimes there's a couple hours between when they make entries into the app.
Can you imagine how annoying it would be if EVERY time they had to make an entry into the system they had to login 'cause the system kept invalidating their session and logging them out (over and over and over throughout the week). Luckily -- there's not much of a security risk, and you're not storing much info in the session (not enough that it'll take up much memory...) so you can set the timeout to -1 without any problem.
does that help explain the need for it a bit?
[ February 22, 2003: Message edited by: Jessica Sant ]