Hey Ikai, sorry I referred you by mistake.. My msg was for lembas On Mon, May 3, 2010 at 1:23 PM, romesh soni <[email protected]> wrote:
> Hi Ikai, > > the way you are managing session is not good. actually you are using > cookies for managing session, which is not a good thing. > instead session management is done at server side, not client side. > > > On Mon, May 3, 2010 at 1:18 PM, Ikai L (Google) <[email protected]> wrote: > >> I'm not sure how this mitigates use of the _ah_session records that are >> created. Anytime you set an attribute, it will use this. If you're worried >> about _ah_session getting out of control, a better way would be to use >> Memcache for session data and associate it with a cookie. Stale, unused >> session data will be automatically expired. The advantage of using the built >> in sessions is that since they are backed by both Memcache and the >> datastore, they're going to be less volatile. >> >> On Sun, May 2, 2010 at 8:46 AM, lembas <[email protected]> wrote: >> >>> I have couple of questions about session management. I use GWT+GAE. I >>> do not want my _ah_sessions table to be out of control. I do not want >>> to generate unnecessary sessions. >>> >>> I have <sessions-enabled>true</sessions-enabled> in my appengine- >>> web.xml. >>> >>> 1.I have the following code at the beginning of my onModuleLoad() >>> method, is it ok? >>> String sessionid = Cookies.getCookie("JSESSIONID"); >>> if (sessionid != null) { >>> Date now = new Date(); >>> Date expires = new Date(now.getTime() + (long) 1000 * 60 * 60 * 24 >>> * >>> 365); >>> Cookies.setCookie("JSESSIONID", sessionid, expires); >>> } >>> >>> 2.After the user sends his/her username&password to the server for the >>> first time (i.e. with a new JSESSIONID cookie), I get that "user" >>> object from database and if I have it, I save it using: >>> getThreadLocalRequest().getSession().setAttribute("user", user); >>> and send it to the client as a sign of a succesful login. >>> >>> So next time client visits the site with the same JSESSIONID I can get >>> the user object directly by: >>> getThreadLocalRequest().getSession().getAttribute("user"); >>> >>> --- >>> >>> Is it ok how I use the sesssion management? Is it true that every >>> request comes with the same JSESSIONID (unless client deleted it >>> deliberately), no new session is created on server and server do not >>> need to access database to get the user object? >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "Google App Engine for Java" group. >>> To post to this group, send email to >>> [email protected]. >>> To unsubscribe from this group, send email to >>> [email protected]<google-appengine-java%[email protected]> >>> . >>> For more options, visit this group at >>> http://groups.google.com/group/google-appengine-java?hl=en. >>> >>> >> >> >> -- >> Ikai Lan >> Developer Relations, Google App Engine >> Twitter: http://twitter.com/ikai >> Delicious: http://delicious.com/ikailan >> >> ---------------- >> Google App Engine links: >> Blog: http://googleappengine.blogspot.com >> Twitter: http://twitter.com/app_engine >> Reddit: http://www.reddit.com/r/appengine >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Google App Engine for Java" group. >> To post to this group, send email to >> [email protected]. >> To unsubscribe from this group, send email to >> [email protected]<google-appengine-java%[email protected]> >> . >> For more options, visit this group at >> http://groups.google.com/group/google-appengine-java?hl=en. >> > > -- You received this message because you are subscribed to the Google Groups "Google App Engine for Java" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine-java?hl=en.
