It's just that if you just do p:poll every five minutes they are never logged out from activity. This has actually caused us to fail a security screening in the past.
1. Users use security system before leaving office, forgets to logout and the PC does not lock from inactivity either 2. In the middle of the night a burglar breaks in and has direct access to system because p:poll has kept stuff warm for him 3. Lose Customer To clarify our users might just leave with computer logged on and system logged on so session timeout is essential. In general they actually want really short session timeouts but the tricky part is that for some pages they want 1H or similar. When they work on those pages they can't just lose the session so we warn them in advance. Might be enough to just use p:idleMonitor. Our solution is homemade because we don't have primefaces in that product so I was brainstorming when I mentioned it. For us it's DWR that keeps the session alive but in the future it will be p:push. TLDR: If you use p:poll don't forget that users may forget to logout and p:poll will disable session timeout. On 13 February 2014 12:52, Howard W. Smith, Jr. <[email protected]>wrote: > Karl, p:poll introduces security concerns? Please elaborate/clarify. > Thanks. > On Feb 13, 2014 3:39 AM, "Karl Kildén" <[email protected]> wrote: > > > Good suggestion Thomas, > > > > For myself I would need this: > > > > < 1 Hour: Keep session alive with p:poll > > > 1 Hour: Render p:idleMonitor instead and warn for activity and session > > destroy in x minutes. > > > > The switch to a idleMonitor would require that you check the submitted > > request parameters and this way know if poll component triggered the > > request or the user. > > > > A plain p:poll is unacceptable for our system for security reasons. > > > > > > On 13 February 2014 09:26, Thomas Andraschko < > [email protected] > > >wrote: > > > > > >> I dont know why & how this is so implemented but It is very normal > > that > > > the > > > >> user may be busy reading some section of website or be away for 20 > > > minutes, > > > >> & as he comes back & interacts with opened pages, how would I make > > that > > > >> work without the state ? > > > >> I think this is a common requirement for any public websites. > > > > > > You could just add an ajax poll components and ping the server all 5 > > > minutes - so the session will only be destroyed if all tabs from your > > > application are closed. > > > > > >
