Hi Ikai, the way you are managing session is not good. actually you are using cookies for managing session, which is not a good thing. instead session management is done at server side, not client side.
On Mon, May 3, 2010 at 1:18 PM, Ikai L (Google) <[email protected]> wrote: > I'm not sure how this mitigates use of the _ah_session records that are > created. Anytime you set an attribute, it will use this. If you're worried > about _ah_session getting out of control, a better way would be to use > Memcache for session data and associate it with a cookie. Stale, unused > session data will be automatically expired. The advantage of using the built > in sessions is that since they are backed by both Memcache and the > datastore, they're going to be less volatile. > > On Sun, May 2, 2010 at 8:46 AM, lembas <[email protected]> wrote: > >> I have couple of questions about session management. I use GWT+GAE. I >> do not want my _ah_sessions table to be out of control. I do not want >> to generate unnecessary sessions. >> >> I have <sessions-enabled>true</sessions-enabled> in my appengine- >> web.xml. >> >> 1.I have the following code at the beginning of my onModuleLoad() >> method, is it ok? >> String sessionid = Cookies.getCookie("JSESSIONID"); >> if (sessionid != null) { >> Date now = new Date(); >> Date expires = new Date(now.getTime() + (long) 1000 * 60 * 60 * 24 >> * >> 365); >> Cookies.setCookie("JSESSIONID", sessionid, expires); >> } >> >> 2.After the user sends his/her username&password to the server for the >> first time (i.e. with a new JSESSIONID cookie), I get that "user" >> object from database and if I have it, I save it using: >> getThreadLocalRequest().getSession().setAttribute("user", user); >> and send it to the client as a sign of a succesful login. >> >> So next time client visits the site with the same JSESSIONID I can get >> the user object directly by: >> getThreadLocalRequest().getSession().getAttribute("user"); >> >> --- >> >> Is it ok how I use the sesssion management? Is it true that every >> request comes with the same JSESSIONID (unless client deleted it >> deliberately), no new session is created on server and server do not >> need to access database to get the user object? >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Google App Engine for Java" group. >> To post to this group, send email to >> [email protected]. >> To unsubscribe from this group, send email to >> [email protected]<google-appengine-java%[email protected]> >> . >> For more options, visit this group at >> http://groups.google.com/group/google-appengine-java?hl=en. >> >> > > > -- > Ikai Lan > Developer Relations, Google App Engine > Twitter: http://twitter.com/ikai > Delicious: http://delicious.com/ikailan > > ---------------- > Google App Engine links: > Blog: http://googleappengine.blogspot.com > Twitter: http://twitter.com/app_engine > Reddit: http://www.reddit.com/r/appengine > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine for Java" group. > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]<google-appengine-java%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/google-appengine-java?hl=en. > -- You received this message because you are subscribed to the Google Groups "Google App Engine for Java" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine-java?hl=en.
