"Wang, Dapeng" wrote: > Hi, Craig, > > Can you estimate how long a session should last to be useful. I think in > Tomcat 30 min is the default, isn't it a little bit too long? > One thing to remember ... the session timeout value does *not* determine how long a session lasts. It only determines how long the server will wait in between requests to invalidate your session. If you have your timeout set for 30 minutes, but you are issuing requests every 20 minutes, your session can go on for hours, days, or weeks. That being said, the issue of what is the "right" timeout is pretty specific to your application and its users. Some considerations: * Can you train your users to log off of your app (so your app can invalidate the session) when they are not going to use it for a while? Then a longer timeout does not matter. * Are you storing "expensive" stuff (like database connections or very large data objects) in the user's session? You probably want to set the timeout shorter. * Do your users complain that every time they stop to answer a phone call or get a cup of coffee the app times them out? You've probably got the timeout too short. As you can see, finding the right timeout is more art than science :-). But it's totally up to you, and does not even have to be the same for every user -- you can call session.setMaxInactiveInterval() on any session to set a custom timeout for that particular session, or even change it during the session's lifetime. I use this approach to make the timeout shorter when I've got "expensive" stuff in the user's session, and longer (or even disable the timeout, if I don't care about how long they stay logged on) when they are sitting at a menu. > > regards > Dapeng > Craig =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". FAQs on JSP can be found at: http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.html
