[thelist] What is the ideal session timeout (JSP)
Ian Anderson
ian at zstudio.co.uk
Fri Mar 18 16:51:02 CST 2005
VOLKAN ÖZÇELİK wrote:
>And finally, will large session timeouts (say 3 hours per sesion) lead
>a significant performance degredation? (our users will be entering
>large texts, while making phone calls, examining papers etc... Being
>idle for an hour and losing everything they have written in a textbox
>upon session timeout will be a nightmare for them.
>
>i. Shall we implement a timeout counter which alerts user something
>like "your session will be expired in 10 minutes if you don't save
>your work" ?
>
On a web application I am building presently, I have a similar situation
though not with such critical security requirements as finance.
The user has a browser window open for several hours; in order to avoid
long sessions clogging up the server, or the risks and inconvenience you
describe if the session expires on the user, I have implemented a
"log'em in again" system. When a user logs in and indicates they wish to
stay logged in, my application delivers a long random key as a cookie,
as well as storing it in a keys table associated with the most recent
successful login for the user. Once the session (set to 20 minutes as
usual in ASP) has expired, on a subsequent request that would otherwise
be bounced owing to the expiration of the normal ASP session variable,
the application checks the http request for a cookie key and validates
it automatically; if the key is present in the keys table, then the user
is logged back in silently.
Would this be a suitable approach for you?
Can anyone see any gaping holes in such a system?
[Thinking out loud] With any system that allows users to stay logged in
for extensive periods like you're describing, it is probably a good idea
to force the user to re-confirm their password before allowing any
critical operations, in case the user leaves their screen for a few
minutes and a malicious interloper sneaks in Mission Impossible-style,
and tries to empty their account/delete all their data while they're in
the loo. [Note to self - must remember to do this where relevant in my
app!]
HTH
Ian
PS - Volkan, you might want to think about offering a keyboard shortcut
to save data and remain on the current screen. We had this on an
internal web application we used for managing web site testing where a
form would be onscreen for ten to twenty minutes, and it was really
useful as a prevention against unexpected quitting, system hanging or
whatever when you have a reasonable amount of work entered in a browser
window. Ours simply used accesskey 'S' on a form button. Worked really well.
More information about the thelist
mailing list