[thelist] What is the ideal session timeout (JSP)

[VOLKAN ÖZÇELİK]

Hello,

I know this is a classical question. But I'd be glad to hear your opinions.

We have a server with 4 CPU's and 4 Gig of ram. (I don't know the
exact configuration but it's a goooood server I can say.) We have a
database on another machine but on the same LAN with the web server.
So we have a three-tier application but we can think as if it were
2-tier for practical means.

Our a web application uses JSP and stateless session beans. The only
thing we put on the session is a user object, which is not a bean but
a session variable, that takes less than 4KB of memory.

We expect to have several thousands of concurrent connections
(2000-3000) from all around the country at peak times. (The
application is a finance application where everyone will be entering
and modifying texts, reading, inserting and updating the database.)

The app is currently in its alpha testing phase. And I want to be sure
of anything that may impact performance and security.

First question. We use several hidden iframes and we load data
asynchronously from the server into those iframes when necessary. This
implementation is chosen because we do not want to post back the
entire page to the server upon each client request. Our approach
negatively impacts the first load of the application (it takes around
90 seconds in a dialup connection) But since most of the files used by
the iframes are cached, the load time decreases to 10 seconds upon the
second refresh. And after first load, the user never requires to
refresh the page fully.

That is to say, to reduce the server load, we designed a fat client.
Is is ta relevant approach. What are its pros and cons?

Secondly, we use several HTC components and IE dependent code to make
life easier for clients. Since only our agents will be using the
application, we can force them use IE. Does this (using IE dependent
HTC components) make sense?

Thirdly, I've heard that HTC components had security leaks. Can anyone
point me an article on this.

And finally, will large session timeouts (say 3 hours per sesion) lead
a significant performance degredation? (our users will be entering
large texts, while making phone calls, examining papers etc... Being
idle for an hour and losing everything they have written in a textbox
upon session timeout will be a nightmare for them.

i. Shall we implement a timeout counter which alerts user  something
like "your session will be expired in 10 minutes if you don't save
your work" ?

ii. A simple calculation leads 3000 users * 4K of session data = 12
MB, which can be neglected in a 4 giga byte ram. Am I
under-estimating? (note that I just consider "memory" optimization,
security is another issue, the computers will not be publicly
accessible, they will be used by the staff, and thus can be considered
secure enough. ) So  what other things in terms of memory usage do I
have to consider when optimizing the sesion timeouts.

Sorry if I am too inquisitive, but it's a critical application.
and thanks so much in advance.
Cheers,
Volkan.