Win a copy of Design for the Mind this week in the Design forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

session time out. Can't you make it longer? May be about ... a day?

 
Gamini Sirisena
Ranch Hand
Posts: 378
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
My session seems to expire very frequently.. it seems it's about 30 minutes.. Rather tedious logging in throughout the day..

I've read the suggestion to keep the user logged in. But I'd rather not leave any room for someone to use my account having logged on indefinitely..

Any chance of extending this to a day? Or.. an option to customize the session time?

 
Balu Sadhasivam
Ranch Hand
Posts: 874
Android Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

I've read the suggestion to keep the user logged in. But I'd rather not leave any room for someone to use my account having logged on indefinitely..


I do that. I don't worry unless its mailbox or bank account. Only possible thing may be to malign "reputation" by asking improper questions.
 
James Ward
Ranch Hand
Posts: 263
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
For Tomcat:

[Tomcat_home]/conf/web.xml:



The timeout value is specified in minutes.

 
Jaikiran Pai
Marshal
Pie
Posts: 10447
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Gamini Sirisena wrote:My session seems to expire very frequently.. it seems it's about 30 minutes.. Rather tedious logging in throughout the day..


You don't have to login to read posts. However if you are posting then the session is not going to timeout - unless you post, then go off for more than 30 minutes and then come back again to post.


Gamini Sirisena wrote:
Any chance of extending this to a day?


In my opinion a day is too long to leave the session open.
 
paul wheaton
Trailboss
Pie
Posts: 21378
Firefox Browser IntelliJ IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So, if someone uses your account on your computer within 24 hours of your last access, you are okay with that. But if you have been away from javaranch for more than 24 hours and then somebody uses your computer to post something on javaranch, THAT is a problem? And the person is able to get on your computer and access all of your files, but the big issue is that they might step by all of that and start posting stuff under your name on javaranch? Wow, we are SO much cooler than I thought! Yeah baby!

I have two ideas:

1) We could modify JForum so folks can choose how long to remain logged in. There could be a field for a number and a radio button to pick "minutes" or "hours" - with the default of, say, 1 hour. And then another box that shows, "always" (or some such).

2) We leave JForum alone, people select "always" which is there now, and then folks activate the security on their computers to keep the creepy people out.

I suppose each idea has up sides and down sides. I suppose we could even do a little of each. I guess it depends on if a volunteer wants to play with the source.




 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 34178
340
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think we are discussing two separate issues here.

1) How long should the session timeout be?
2) How long before I'm prompted to log in again?

The answer to #1 affects the server. A session timeout should absolutely not be a day. That would mean the server would have to remember what everyone was doing for a whole day which wastes memory. For #1, my answer is no. I am quite opposed to changing the Tomcat session timeout to a day.

#2 is a variant of the "remember me" but forcing a shorter timeout for how long to remember. This doesn't seem so terrible, but it falls under "cool feature" to me unless you can point me to a use case for it. Because

paul wheaton wrote:So, if someone uses your account on your computer within 24 hours of your last access, you are okay with that. But if you have been away from javaranch for more than 24 hours and then somebody uses your computer to post something on javaranch, THAT is a problem?

what Paul wrote summarizes what you are describing as it reads to me. I don't get it at all! I also don't see many other sites on the web that offer set periods to stay logged in. Which makes it sound like a very low priority feature unless you sell it better.
 
Campbell Ritchie
Sheriff
Posts: 48645
56
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think 30 minutes is quite reasonable. Can see no reason to change.
 
paul wheaton
Trailboss
Pie
Posts: 21378
Firefox Browser IntelliJ IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Personally, I really like the "remember me" thing. It fixes everything. And I do everything from my computer. Nobody else uses my computer and I have lots of password stuff on my computer "just in case".

If somebody goes to a library computer (or some other shared computer) to use JavaRanch, then the 30 minute thing seems just right.

I think that if you are on a library computer and then wander off while posting something and come back to finish it two hours later, then ... well ... that doesn't seem like something that is gonna happen.

Maybe it would help if we have a scenario so that we can understand the need for a change to the software.

 
Gamini Sirisena
Ranch Hand
Posts: 378
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello Paul and all,

It's like this..

We get some routine maintenance done while we are not at office by system engineers, and some times they log in to our
boxes. This is my concern. May be they are unfounded. They usually use the admin accounts to log in and now come to think of it may be using the keep me logged in will not work when accessing the box with a different account. I am not sure.

But sure will be nice to be logged on for say even 12 hours and automatically to be logged out "if" the user prefers it. I do agree that a "default" time out of 30 minutes seems reasonable.
 
ankur rathi
Ranch Hand
Posts: 3830
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Gamini Sirisena wrote:Hello Paul and all,

It's like this..

We get some routine maintenance done while we are not at office by system engineers, and some times they log in to our
boxes. This is my concern. May be they are unfounded. They usually use the admin accounts to log in and now come to think of it may be using the keep me logged in will not work when accessing the box with a different account. I am not sure.

But sure will be nice to be logged on for say even 12 hours and automatically to be logged out "if" the user prefers it. I do agree that a "default" time out of 30 minutes seems reasonable.


Yes, "keep me logged in" won't work for other user accounts so no need to worry.
Cookies are created in user's folders. In XP, it's C:\Documents and Settings\<username>\Cookies.

However, cases where you don't have multiple users on system or everyone is using one user account (say in cyber cafe), you must sign out.
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 34178
340
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Gamini Sirisena wrote: This is my concern. May be they are unfounded. They usually use the admin accounts to log in and now come to think of it may be using the keep me logged in will not work when accessing the box with a different account. I am not sure.

You are correct - they don't have access to your cookies.
 
Gamini Sirisena
Ranch Hand
Posts: 378
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks all for your time..
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic