We've recently had a debate about session timeouts, specifically, the definition of "inactivity". Two basic opinions:
1. Inactivity meaning the client has not contacted the server for x seconds
Tomcat controls the "global" timeout at 30 minutes, however, we'd like to set a lower threshold (around 5 - 10 minutes) for our application, but keep the "global". Essentially, if the server is not contacted within 30 minutes, it will timeout, that's a given. What happens in the meantime is open to question.
For instance, I'm working on a form, tapping away at the keyboard...thinking some...tapping some more. During this time the server is not contacted. Now if 10 minutes pass, one solution is to simply timeout due to server inactivity. Another is to reset the timer each time a key is pressed or the mouse is moved, allowing the user to maintain a session if they are performing ANY activity. Of course, if the latter solution is used, we'd have to notify them if they are approaching the 30 minute mark.
I'm still debating this. Any more opinions?
Remember that you can set different timeouts for different web applications running in the same instance of Tomcat (use the <session-config> element in the web.xml file of your web app). The 'global value' of 30 mins you speak of is actually just a default value that Tomcat uses if you do not supply this element.
My advice to you would be to keep it very simple - figure out the longest amount of time that it would take a reasonable person to fill in the most involved of your pages, then set the session timeout to slightly longer than this. Don't bother trying to track the session on the client as well as the server - the session is a server-side concept.
Think about any online banking app or shopping cart application you have ever used - they only track the session on the server, not the client, and this is conventional behaviour. You really do not need to make it any more complex. So long as the timeout is set to a reasonable value, nobody can complain.
P.S. Also remember that you can set the session timeout on a per-request basis, using the HttpSession.setMaxInactiveInterval() method, so you could set a higher/lower timeout if the request is for a particular resource that you feel warrants a longer/shorter time for the client to process than other resources within your application.
[ October 24, 2003: Message edited by: Michael Fitzmaurice ]
Could you please help me by telling on how you implemented this solution?
Thanks in advance!