Win a copy of Kotlin in Action this week in the Kotlin forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

session timeouts  RSS feed

 
Winston Smith
Ranch Hand
Posts: 136
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all,
We've recently had a debate about session timeouts, specifically, the definition of "inactivity". Two basic opinions:
1. Inactivity meaning the client has not contacted the server for x seconds
2. Inactivity meaning the client has not pressed any keys, or performed any mouse events (handled via javascript) for x seconds
Naturally, case 1 will occur regardless. But to exercise more control over the application, one proposal is to implement a javascript timer which captures events and resets the timeout. Another proposal is to implement a session timeout with JSP, but this will not reset the timer unless the server is contacted. What do you guys think?
Thanks,
WS
 
Kripal Singh
Ranch Hand
Posts: 254
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I also faced the similar situation once and here is the solution I used. We set the session timeout at 30 min. After 28 min of inactivity we pop up a window (using JavaScript) giving two options either to continue or to logout. If user chooses to continue we invoked one servlet, which does, nothing but hit the server and close the popup window. If there is no activity the user is logged out automatically after two minutes.
 
Winston Smith
Ranch Hand
Posts: 136
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the suggestion, Kripal. Our scenario is basically this:
Tomcat controls the "global" timeout at 30 minutes, however, we'd like to set a lower threshold (around 5 - 10 minutes) for our application, but keep the "global". Essentially, if the server is not contacted within 30 minutes, it will timeout, that's a given. What happens in the meantime is open to question.
For instance, I'm working on a form, tapping away at the keyboard...thinking some...tapping some more. During this time the server is not contacted. Now if 10 minutes pass, one solution is to simply timeout due to server inactivity. Another is to reset the timer each time a key is pressed or the mouse is moved, allowing the user to maintain a session if they are performing ANY activity. Of course, if the latter solution is used, we'd have to notify them if they are approaching the 30 minute mark.
I'm still debating this. Any more opinions?
Thanks,
WS
 
Michael Fitzmaurice
Ranch Hand
Posts: 168
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Winston
Remember that you can set different timeouts for different web applications running in the same instance of Tomcat (use the <session-config> element in the web.xml file of your web app). The 'global value' of 30 mins you speak of is actually just a default value that Tomcat uses if you do not supply this element.
My advice to you would be to keep it very simple - figure out the longest amount of time that it would take a reasonable person to fill in the most involved of your pages, then set the session timeout to slightly longer than this. Don't bother trying to track the session on the client as well as the server - the session is a server-side concept.
Using your client-side JavaScript idea, you would need to post something to the server every time the user hit a key or moved the mouse, and this is terribly inefficient. You would also be giving the user the ability to hog resources on the server purely by messing about on their client - session timeouts help the server to conserve resources by booting out any time wasters, and this is a good thing. If you let people hold sessions open without (in effect) actually using your web app, you are giving them power they should not have.
Think about any online banking app or shopping cart application you have ever used - they only track the session on the server, not the client, and this is conventional behaviour. You really do not need to make it any more complex. So long as the timeout is set to a reasonable value, nobody can complain.
Michael
P.S. Also remember that you can set the session timeout on a per-request basis, using the HttpSession.setMaxInactiveInterval() method, so you could set a higher/lower timeout if the request is for a particular resource that you feel warrants a longer/shorter time for the client to process than other resources within your application.
[ October 24, 2003: Message edited by: Michael Fitzmaurice ]
 
Winston Smith
Ranch Hand
Posts: 136
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the thorough reply, Michael. I have a better understanding of the implications of allowing the client-side to control timeouts, so I will look at the Tomcat config file and set an appropriate timeout value for the application. Your help is greatly appreciated,
WS
 
Indhu mathi Elango
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Kripal Singh wrote:I also faced the similar situation once and here is the solution I used. We set the session timeout at 30 min. After 28 min of inactivity we pop up a window (using JavaScript) giving two options either to continue or to logout. If user chooses to continue we invoked one servlet, which does, nothing but hit the server and close the popup window. If there is no activity the user is logged out automatically after two minutes.


Hi Kripal,

Could you please help me by telling on how you implemented this solution?

Thanks in advance!

Regards,
Indhu
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!