RE: security

Tue, 04 Sep 2001 05:45:13 -0700 

>
> That is what I want to store... I want turbine to make my
> user login once a
> day.. instead of every session... I think I can implement
> this in a custom
> SessionValidator if it is not available to me already... I
> think all that
> needs to happen is have the jsession id stored in a persistent cookie
> instead of a session cookie... maybe not though...

No, you're not getting what sessions are I think. It doesn't matter if you store the 
jsessionid in a perstitant cookie, when you
pass that id back to the appserver, it is just going to create a new session for you 
because the session has expired.

There are two solutions:

1. Automatically log them on if they have a cookie you specify. This means that when 
they initially logon, send a persistant cookie,
then on a later logon, check for that cookie (anything) and if they have it, just log 
them on straight away.

2. Make session expiry 24 hours.

Option 1 results in a fairly insecure site, option 2 may result in massive memory 
usage under heavy loads.


> ----- Original Message -----
> From: "Gareth Coltman" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, September 04, 2001 8:54 AM
> Subject: RE: security
>
>
> > >
> > > It looks like login is using soft... is there a way to switch
> > > it to hard?
> > >
> >
> > Well, no I wouldn't think so. Session cookies are stored by
> the browser in
> memory. When the browser closes, the session dies. The
> > session cookie (ie the id) is valid only for the lifetime
> of the session -
> this is why it is not persisted. The volitile nature of
> > sessions (ie they expire) makes it a little pointless to
> store the cookie
> on disk.
> >
> > Hard cookies are not for session tracking, they are used to
> store things
> like usernames, preferences etc.
> >
> > G
> >
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail:
> [EMAIL PROTECTED]
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to