wood burning stoves*
The moose likes Ranch Office and the fly likes session time out. Can't you make it longer? May be about ... a day? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » This Site » Ranch Office
Bookmark "session time out. Can Watch "session time out. Can New topic
Author

session time out. Can't you make it longer? May be about ... a day?

Gamini Sirisena
Ranch Hand

Joined: Aug 05, 2008
Posts: 347
My session seems to expire very frequently.. it seems it's about 30 minutes.. Rather tedious logging in throughout the day..

I've read the suggestion to keep the user logged in. But I'd rather not leave any room for someone to use my account having logged on indefinitely..

Any chance of extending this to a day? Or.. an option to customize the session time?

Balu Sadhasivam
Ranch Hand

Joined: Jan 01, 2009
Posts: 874


I've read the suggestion to keep the user logged in. But I'd rather not leave any room for someone to use my account having logged on indefinitely..


I do that. I don't worry unless its mailbox or bank account. Only possible thing may be to malign "reputation" by asking improper questions.
James Ward
Ranch Hand

Joined: Apr 27, 2003
Posts: 263
For Tomcat:

[Tomcat_home]/conf/web.xml:



The timeout value is specified in minutes.

Jaikiran Pai
Marshal

Joined: Jul 20, 2005
Posts: 10067
    
163

Gamini Sirisena wrote:My session seems to expire very frequently.. it seems it's about 30 minutes.. Rather tedious logging in throughout the day..


You don't have to login to read posts. However if you are posting then the session is not going to timeout - unless you post, then go off for more than 30 minutes and then come back again to post.


Gamini Sirisena wrote:
Any chance of extending this to a day?


In my opinion a day is too long to leave the session open.


[My Blog] [JavaRanch Journal]
paul wheaton
Trailboss

Joined: Dec 14, 1998
Posts: 20542
    ∞

So, if someone uses your account on your computer within 24 hours of your last access, you are okay with that. But if you have been away from javaranch for more than 24 hours and then somebody uses your computer to post something on javaranch, THAT is a problem? And the person is able to get on your computer and access all of your files, but the big issue is that they might step by all of that and start posting stuff under your name on javaranch? Wow, we are SO much cooler than I thought! Yeah baby!

I have two ideas:

1) We could modify JForum so folks can choose how long to remain logged in. There could be a field for a number and a radio button to pick "minutes" or "hours" - with the default of, say, 1 hour. And then another box that shows, "always" (or some such).

2) We leave JForum alone, people select "always" which is there now, and then folks activate the security on their computers to keep the creepy people out.

I suppose each idea has up sides and down sides. I suppose we could even do a little of each. I guess it depends on if a volunteer wants to play with the source.





permaculture Wood Burning Stoves 2.0 - 4-DVD set
Jeanne Boyarsky
internet detective
Marshal

Joined: May 26, 2003
Posts: 30377
    
150

I think we are discussing two separate issues here.

1) How long should the session timeout be?
2) How long before I'm prompted to log in again?

The answer to #1 affects the server. A session timeout should absolutely not be a day. That would mean the server would have to remember what everyone was doing for a whole day which wastes memory. For #1, my answer is no. I am quite opposed to changing the Tomcat session timeout to a day.

#2 is a variant of the "remember me" but forcing a shorter timeout for how long to remember. This doesn't seem so terrible, but it falls under "cool feature" to me unless you can point me to a use case for it. Because

paul wheaton wrote:So, if someone uses your account on your computer within 24 hours of your last access, you are okay with that. But if you have been away from javaranch for more than 24 hours and then somebody uses your computer to post something on javaranch, THAT is a problem?

what Paul wrote summarizes what you are describing as it reads to me. I don't get it at all! I also don't see many other sites on the web that offer set periods to stay logged in. Which makes it sound like a very low priority feature unless you sell it better.


[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
Campbell Ritchie
Sheriff

Joined: Oct 13, 2005
Posts: 38489
    
  23
I think 30 minutes is quite reasonable. Can see no reason to change.
paul wheaton
Trailboss

Joined: Dec 14, 1998
Posts: 20542
    ∞

Personally, I really like the "remember me" thing. It fixes everything. And I do everything from my computer. Nobody else uses my computer and I have lots of password stuff on my computer "just in case".

If somebody goes to a library computer (or some other shared computer) to use JavaRanch, then the 30 minute thing seems just right.

I think that if you are on a library computer and then wander off while posting something and come back to finish it two hours later, then ... well ... that doesn't seem like something that is gonna happen.

Maybe it would help if we have a scenario so that we can understand the need for a change to the software.

Gamini Sirisena
Ranch Hand

Joined: Aug 05, 2008
Posts: 347
Hello Paul and all,

It's like this..

We get some routine maintenance done while we are not at office by system engineers, and some times they log in to our
boxes. This is my concern. May be they are unfounded. They usually use the admin accounts to log in and now come to think of it may be using the keep me logged in will not work when accessing the box with a different account. I am not sure.

But sure will be nice to be logged on for say even 12 hours and automatically to be logged out "if" the user prefers it. I do agree that a "default" time out of 30 minutes seems reasonable.
ankur rathi
Ranch Hand

Joined: Oct 11, 2004
Posts: 3830
Gamini Sirisena wrote:Hello Paul and all,

It's like this..

We get some routine maintenance done while we are not at office by system engineers, and some times they log in to our
boxes. This is my concern. May be they are unfounded. They usually use the admin accounts to log in and now come to think of it may be using the keep me logged in will not work when accessing the box with a different account. I am not sure.

But sure will be nice to be logged on for say even 12 hours and automatically to be logged out "if" the user prefers it. I do agree that a "default" time out of 30 minutes seems reasonable.


Yes, "keep me logged in" won't work for other user accounts so no need to worry.
Cookies are created in user's folders. In XP, it's C:\Documents and Settings\<username>\Cookies.

However, cases where you don't have multiple users on system or everyone is using one user account (say in cyber cafe), you must sign out.
Jeanne Boyarsky
internet detective
Marshal

Joined: May 26, 2003
Posts: 30377
    
150

Gamini Sirisena wrote: This is my concern. May be they are unfounded. They usually use the admin accounts to log in and now come to think of it may be using the keep me logged in will not work when accessing the box with a different account. I am not sure.

You are correct - they don't have access to your cookies.
Gamini Sirisena
Ranch Hand

Joined: Aug 05, 2008
Posts: 347
Thanks all for your time..
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: session time out. Can't you make it longer? May be about ... a day?