[thelist] What is the ideal session timeout (JSP)

Ian Anderson ian at zstudio.co.uk
Fri Mar 18 16:51:02 CST 2005 

VOLKAN ÖZÇELİK wrote:

>And finally, will large session timeouts (say 3 hours per sesion) lead
>a significant performance degredation? (our users will be entering
>large texts, while making phone calls, examining papers etc... Being
>idle for an hour and losing everything they have written in a textbox
>upon session timeout will be a nightmare for them.
>
>i. Shall we implement a timeout counter which alerts user  something
>like "your session will be expired in 10 minutes if you don't save
>your work" ?
>
On a web application I am building presently, I have a similar situation 
though not with such critical security requirements as finance.

The user has a browser window open for several hours; in order to avoid 
long sessions clogging up the server, or the risks and inconvenience you 
describe if the session expires on the user, I have implemented a 
"log'em in again" system. When a user logs in and indicates they wish to 
stay logged in, my application delivers a long random key as a cookie, 
as well as storing it in a keys table associated with the most recent 
successful login for the user. Once the session (set to 20 minutes as 
usual in ASP) has expired, on a subsequent request that would otherwise 
be bounced owing to the expiration of the normal ASP session variable, 
the application checks the http request for a cookie key and validates 
it automatically; if the key is present in the keys table, then the user 
is logged back in silently.

Would this be a suitable approach for you?

Can anyone see any gaping holes in such a system?

[Thinking out loud] With any system that allows users to stay logged in 
for extensive periods like you're describing, it is probably a good idea 
to force the user to re-confirm their password before allowing any 
critical operations, in case the user leaves their screen for a few 
minutes and a malicious interloper sneaks in Mission Impossible-style, 
and tries to empty their account/delete all their data while they're in 
the loo. [Note to self - must remember to do this where relevant in my 
app!]

HTH

Ian

PS - Volkan, you might want to think about offering a keyboard shortcut 
to save data and remain on the current screen. We had this on an 
internal web application we used for managing web site testing where a 
form would be onscreen for ten to twenty minutes, and it was really 
useful as a prevention against unexpected quitting, system hanging or 
whatever when you have a reasonable amount of work entered in a browser 
window. Ours simply used accesskey 'S' on a form button. Worked really well.

More information about the thelist mailing list