Hello, I know this is a classical question. But I'd be glad to hear your opinions. We have a server with 4 CPU's and 4 Gig of ram. (I don't know the exact configuration but it's a goooood server I can say.) We have a database on another machine but on the same LAN with the web server. So we have a three-tier application but we can think as if it were 2-tier for practical means. Our a web application uses JSP and stateless session beans. The only thing we put on the session is a user object, which is not a bean but a session variable, that takes less than 4KB of memory. We expect to have several thousands of concurrent connections (2000-3000) from all around the country at peak times. (The application is a finance application where everyone will be entering and modifying texts, reading, inserting and updating the database.) The app is currently in its alpha testing phase. And I want to be sure of anything that may impact performance and security. First question. We use several hidden iframes and we load data asynchronously from the server into those iframes when necessary. This implementation is chosen because we do not want to post back the entire page to the server upon each client request. Our approach negatively impacts the first load of the application (it takes around 90 seconds in a dialup connection) But since most of the files used by the iframes are cached, the load time decreases to 10 seconds upon the second refresh. And after first load, the user never requires to refresh the page fully. That is to say, to reduce the server load, we designed a fat client. Is is ta relevant approach. What are its pros and cons? Secondly, we use several HTC components and IE dependent code to make life easier for clients. Since only our agents will be using the application, we can force them use IE. Does this (using IE dependent HTC components) make sense? Thirdly, I've heard that HTC components had security leaks. Can anyone point me an article on this. And finally, will large session timeouts (say 3 hours per sesion) lead a significant performance degredation? (our users will be entering large texts, while making phone calls, examining papers etc... Being idle for an hour and losing everything they have written in a textbox upon session timeout will be a nightmare for them. i. Shall we implement a timeout counter which alerts user something like "your session will be expired in 10 minutes if you don't save your work" ? ii. A simple calculation leads 3000 users * 4K of session data = 12 MB, which can be neglected in a 4 giga byte ram. Am I under-estimating? (note that I just consider "memory" optimization, security is another issue, the computers will not be publicly accessible, they will be used by the staff, and thus can be considered secure enough. ) So what other things in terms of memory usage do I have to consider when optimizing the sesion timeouts. Sorry if I am too inquisitive, but it's a critical application. and thanks so much in advance. Cheers, Volkan.