VOLKAN ÖZÇELİK wrote: >And finally, will large session timeouts (say 3 hours per sesion) lead >a significant performance degredation? (our users will be entering >large texts, while making phone calls, examining papers etc... Being >idle for an hour and losing everything they have written in a textbox >upon session timeout will be a nightmare for them. > >i. Shall we implement a timeout counter which alerts user something >like "your session will be expired in 10 minutes if you don't save >your work" ? > On a web application I am building presently, I have a similar situation though not with such critical security requirements as finance. The user has a browser window open for several hours; in order to avoid long sessions clogging up the server, or the risks and inconvenience you describe if the session expires on the user, I have implemented a "log'em in again" system. When a user logs in and indicates they wish to stay logged in, my application delivers a long random key as a cookie, as well as storing it in a keys table associated with the most recent successful login for the user. Once the session (set to 20 minutes as usual in ASP) has expired, on a subsequent request that would otherwise be bounced owing to the expiration of the normal ASP session variable, the application checks the http request for a cookie key and validates it automatically; if the key is present in the keys table, then the user is logged back in silently. Would this be a suitable approach for you? Can anyone see any gaping holes in such a system? [Thinking out loud] With any system that allows users to stay logged in for extensive periods like you're describing, it is probably a good idea to force the user to re-confirm their password before allowing any critical operations, in case the user leaves their screen for a few minutes and a malicious interloper sneaks in Mission Impossible-style, and tries to empty their account/delete all their data while they're in the loo. [Note to self - must remember to do this where relevant in my app!] HTH Ian PS - Volkan, you might want to think about offering a keyboard shortcut to save data and remain on the current screen. We had this on an internal web application we used for managing web site testing where a form would be onscreen for ten to twenty minutes, and it was really useful as a prevention against unexpected quitting, system hanging or whatever when you have a reasonable amount of work entered in a browser window. Ours simply used accesskey 'S' on a form button. Worked really well.