• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Ideal time duration for login a java web application

 
Sijesh Alayaril
Ranch Hand
Posts: 43
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Could anyone please let me know what is the ideal time duration for login a java web application?
 
Liutauras Vilda
Bartender
Pie
Posts: 2803
112
BSD VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Shorter better if I understand your question well. What time frame doesn't annoy you since you push button login till actually get into the system?
 
Tim Holloway
Saloon Keeper
Posts: 18367
56
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
We are reading that as "how long should a user remain logged into a web application when not interacting with it?"

The answer varies depending on what the application does and how sensitive the data is.

For something that brings up sensitive data, often 10 minutes is about right. You basically want to keep the session alive, but not expose it if the user walks away from the terminal. Although you might make it a little longer if people complain about having to log in too frequently,

Conversely, an application which is less sensitive, but more labor-intensive might warrant a long timeout. If I spend 45 minutes using a database designer webapp, for example, I don't want all my work to get discarded just because I got distracted by a short phone call.

So it's a trade-off, and like many things, there's no one "right" answer.
 
Liutauras Vilda
Bartender
Pie
Posts: 2803
112
BSD VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Alright.

Another idea is to show a user couple of radio buttons, which may sound as:
  • This is a public or shared computer (signs out in time what Tim mentioned)
  • This is a private computer (doesn't sign out until you kill session or it does but after reasonably long time)

  •  
    Tim Holloway
    Saloon Keeper
    Posts: 18367
    56
    Android Eclipse IDE Linux
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Some observations about what Liutauras said.

    It's not uncommon these days for the login screen to have a checkbox for "This is a public/private" computer. And/or a "Remember me on this computer" button.

    I strongly recommend using the J2EE standard login system in almost all cases for the very simple reason that probably 95% of the "do it yourself" login systems I've seen over the last 15 years or so have had such major security flaws that unskilled persons could break in within 15 minutes or less.

    However, the price of this level of security is that it's limited in what can be done at login. The JEE login system accepts 2 and only 2 parameters: user ID and password. This is in large part because depending on how you configure the webapp's web.xml file, the login might be a form, a standardized popup dialog supplied by the client software (browser) or some other generic mechanism - there's simply no place to put any other data or processing logic.

    As far as it goes, for specific servers, one might be able to work around that. I suspect I could create a custom Realm module for Tomcat, for example. But obviously it wouldn't be a "write once/run anywhere" solution.
     
    • Post Reply
    • Bookmark Topic Watch Topic
    • New Topic