• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Ideal time duration for login a java web application

 
Ranch Hand
Posts: 91
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Could anyone please let me know what is the ideal time duration for login a java web application?
 
Marshal
Posts: 8856
637
Mac OS X VI Editor BSD Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Shorter better if I understand your question well. What time frame doesn't annoy you since you push button login till actually get into the system?
 
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
We are reading that as "how long should a user remain logged into a web application when not interacting with it?"

The answer varies depending on what the application does and how sensitive the data is.

For something that brings up sensitive data, often 10 minutes is about right. You basically want to keep the session alive, but not expose it if the user walks away from the terminal. Although you might make it a little longer if people complain about having to log in too frequently,

Conversely, an application which is less sensitive, but more labor-intensive might warrant a long timeout. If I spend 45 minutes using a database designer webapp, for example, I don't want all my work to get discarded just because I got distracted by a short phone call.

So it's a trade-off, and like many things, there's no one "right" answer.
 
Liutauras Vilda
Marshal
Posts: 8856
637
Mac OS X VI Editor BSD Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Alright.

Another idea is to show a user couple of radio buttons, which may sound as:
  • This is a public or shared computer (signs out in time what Tim mentioned)
  • This is a private computer (doesn't sign out until you kill session or it does but after reasonably long time)

  •  
    Tim Holloway
    Saloon Keeper
    Posts: 27752
    196
    Android Eclipse IDE Tomcat Server Redhat Java Linux
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    Some observations about what Liutauras said.

    It's not uncommon these days for the login screen to have a checkbox for "This is a public/private" computer. And/or a "Remember me on this computer" button.

    I strongly recommend using the J2EE standard login system in almost all cases for the very simple reason that probably 95% of the "do it yourself" login systems I've seen over the last 15 years or so have had such major security flaws that unskilled persons could break in within 15 minutes or less.

    However, the price of this level of security is that it's limited in what can be done at login. The JEE login system accepts 2 and only 2 parameters: user ID and password. This is in large part because depending on how you configure the webapp's web.xml file, the login might be a form, a standardized popup dialog supplied by the client software (browser) or some other generic mechanism - there's simply no place to put any other data or processing logic.

    As far as it goes, for specific servers, one might be able to work around that. I suspect I could create a custom Realm module for Tomcat, for example. But obviously it wouldn't be a "write once/run anywhere" solution.
     
    Do you pee on your compost? Does this tiny ad?
    a bit of art, as a gift, the permaculture playing cards
    https://gardener-gift.com
    reply
      Bookmark Topic Watch Topic
    • New Topic