I think any solution that relies on the user clicking a logout button will
probably end up failing. I dont think such well trained users exist. My
users are liable to check their favourite website half way through using the
application - you can bet they wont remember to click the logout button
first.
Also, what happens if the user just closes the browser window when they are
finished? You end up having a session sitting around forever if you dont use
the session timeout mechanism.
The only viable solution i can think of is to set a session timeout value
relevant to you application (eg 30 minutes for busy sites, longer for
others) and to implement a method of checking that a session is valid before
accessing variables in it.
eg The first thing your servlet does is check if the session has timed out.
If it has then forward the user to the login page and continue when they
have logged in again.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Seung Ryong
Bang
Sent: Friday, 26 January 2001 4:10 AM
To: Orion-Interest
Subject: Re: Session timeout
Thanks, Matt!
First of all, I meant the session to be alive unless he or she purposedly
closed the session.
The reason is that with a certain session timeout, if a user remains idle,
all the objects
defined in the session will not be available any more, which will result in
a NullPointerException
in the long run. Without logging back and forth to use the system, once a
user logs in,
s/he needs to stay logged in as long as s/he does not press the `logout'
button.
I was thinking this might cause a huge session waste if a user opened many
other sessions
only not to close them. I am not sure if this is a correct assumption. I
only hope the server
will take care of this resource leakage automatically, but...
Please any little tip will help~~~~
Thanks a million.
----- Original Message -----
From: "Matt Krevs" <[EMAIL PROTECTED]>
To: "Orion-Interest" <[EMAIL PROTECTED]>
Sent: Wednesday, January 24, 2001 7:58 PM
Subject: RE: Session timeout
> Yes
>
> <session-config>
> <session-timeout>X</session-timeout>
> </session-config>
>
> is where you specify the number of minutes of inactivity before web
sessions
> are timed out
>
> I dont know for sure what setting this value to 0 does. If it means that
> sessions never timeout then you probably shouldnt ever set it to 0 (unless
> you are fond of being forced to restart your application every week)
because
> each session with hang around in memory indefinitely.
>
> Regarding a "session bean's timeout" i think you are referring to EJB
entity
> beans? I dont know much about EJB but i'm pretty sure this is a different
> thing and has nothing to do with servlets or JSP.
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Seung Ryong
> Bang
> Sent: Thursday, 25 January 2001 12:14 PM
> To: Orion-Interest
> Subject: Re: Session timeout
>
>
> Nobody's answering my question. Please~~~~~~
> Any idea is welcome. Thanks very much.
>
>
> ----- Original Message -----
> From: "Seung Ryong Bang" <[EMAIL PROTECTED]>
> To: "Orion-Interest" <[EMAIL PROTECTED]>
> Sent: Monday, January 22, 2001 10:03 AM
> Subject: Session timeout
>
>
> > Hello all,
> > I have just put the following line in my web.xml.
> >
> > <session-config>
> > <session-timeout>0</session-timeout>
> > </session-config>
> >
> > It will not invalidate any session unless the session is forced to be
> > invalidated on purpose.
> > I do not really know if it's going to be fine that way.
> > A session is going to be alive without being invalidated all thru the
> > system,
> > even if the session is not used by anyone anymore. Is that right?
> > That being the case, isn't it kinda resource waste? Am I getting
something
> > wrong?
> > I appreciate your help and thoughts in advance.
> >
> >
> > PS: The above config. in web.xml sets the servlet session timeout.
Right?
> > Then what about session bean's
> > timeout? Is that the same thing? Or is it somewhere else?
> >
> >
> >
>
>
