Keep in mind that sessions managed by the servlet container expire after a specific time of inactivity on the server side, so if a user comes back after a while with his old session cookie, he will still get a new session. According to the servlet spec, you can obtain this value with HttpSession.getMaxInactiveInterval() and change it with HttpSession.setMaxInactiveInterval(int), with a value of -1 meaning never to expire.
Regards, Stephan 2010/5/27 lembas <[email protected]> > thanks romesh. I was on vacation did not see your message. sorry for a > late answer. > > I do not "use cookies for managing session". Google does. JESSIONID > cookies is created on server by App Engine anyway. I just extend its > expiration date. > Is it possible to implement "remember me" functionality without > cookies? > > On May 3, 11:22 am, romesh soni <[email protected]> wrote: > > Hey Ikai, sorry I referred you by mistake.. My msg was for lembas > > > > > > > > On Mon, May 3, 2010 at 1:23 PM, romesh soni <[email protected]> > wrote: > > > Hi Ikai, > > > > > the way you are managing session is not good. actually you are using > > > cookies for managing session, which is not a good thing. > > > instead session management is done at server side, not client side. > > > > > On Mon, May 3, 2010 at 1:18 PM, Ikai L (Google) <[email protected]> > wrote: > > > > >> I'm not sure how this mitigates use of the _ah_session records that > are > > >> created. Anytime you set an attribute, it will use this. If you're > worried > > >> about _ah_session getting out of control, a better way would be to use > > >> Memcache for session data and associate it with a cookie. Stale, > unused > > >> session data will be automatically expired. The advantage of using the > built > > >> in sessions is that since they are backed by both Memcache and the > > >> datastore, they're going to be less volatile. > > > > >> On Sun, May 2, 2010 at 8:46 AM, lembas <[email protected]> wrote: > > > > >>> I have couple of questions about session management. I use GWT+GAE. I > > >>> do not want my _ah_sessions table to be out of control. I do not want > > >>> to generate unnecessary sessions. > > > > >>> I have <sessions-enabled>true</sessions-enabled> in my appengine- > > >>> web.xml. > > > > >>> 1.I have the following code at the beginning of my onModuleLoad() > > >>> method, is it ok? > > >>> String sessionid = Cookies.getCookie("JSESSIONID"); > > >>> if (sessionid != null) { > > >>> Date now = new Date(); > > >>> Date expires = new Date(now.getTime() + (long) 1000 * 60 * 60 > * 24 > > >>> * > > >>> 365); > > >>> Cookies.setCookie("JSESSIONID", sessionid, expires); > > >>> } > > > > >>> 2.After the user sends his/her username&password to the server for > the > > >>> first time (i.e. with a new JSESSIONID cookie), I get that "user" > > >>> object from database and if I have it, I save it using: > > >>> getThreadLocalRequest().getSession().setAttribute("user", user); > > >>> and send it to the client as a sign of a succesful login. > > > > >>> So next time client visits the site with the same JSESSIONID I can > get > > >>> the user object directly by: > > >>> getThreadLocalRequest().getSession().getAttribute("user"); > > > > >>> --- > > > > >>> Is it ok how I use the sesssion management? Is it true that every > > >>> request comes with the same JSESSIONID (unless client deleted it > > >>> deliberately), no new session is created on server and server do not > > >>> need to access database to get the user object? > > > > >>> -- > > >>> You received this message because you are subscribed to the Google > Groups > > >>> "Google App Engine for Java" group. > > >>> To post to this group, send email to > > >>> [email protected]. > > >>> To unsubscribe from this group, send email to > > >>> [email protected]<google-appengine-java%[email protected]> > <google-appengine-java%[email protected]<google-appengine-java%[email protected]> > > > > >>> . > > >>> For more options, visit this group at > > >>>http://groups.google.com/group/google-appengine-java?hl=en. > > > > >> -- > > >> Ikai Lan > > >> Developer Relations, Google App Engine > > >> Twitter:http://twitter.com/ikai > > >> Delicious:http://delicious.com/ikailan > > > > >> ---------------- > > >> Google App Engine links: > > >> Blog:http://googleappengine.blogspot.com > > >> Twitter:http://twitter.com/app_engine > > >> Reddit:http://www.reddit.com/r/appengine > > > > >> -- > > >> You received this message because you are subscribed to the Google > Groups > > >> "Google App Engine for Java" group. > > >> To post to this group, send email to > > >> [email protected]. > > >> To unsubscribe from this group, send email to > > >> [email protected]<google-appengine-java%[email protected]> > <google-appengine-java%[email protected]<google-appengine-java%[email protected]> > > > > >> . > > >> For more options, visit this group at > > >>http://groups.google.com/group/google-appengine-java?hl=en. > > > > -- > > You received this message because you are subscribed to the Google Groups > "Google App Engine for Java" group. > > To post to this group, send email to > [email protected]. > > To unsubscribe from this group, send email to > [email protected]<google-appengine-java%[email protected]> > . > > For more options, visit this group athttp:// > groups.google.com/group/google-appengine-java?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine for Java" group. > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]<google-appengine-java%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/google-appengine-java?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Google App Engine for Java" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine-java?hl=en.
