question regarding infinite session time out

[Basit35]

Hi to all,
Actually i have a JSF website in which i have two users public and registerd. For registered users there is session timeout but for public user there is no session timeout. So i used

Code:

session.setMaxIntervalTime(-1)   // no session timeout for public user

I want to ask is this a good idea ? what are the bad consequences of this thing? or it is ok because i want that my public user never see the page that your session has expired. If i don't set infinite session time out then my public user also get notification that your session expires. Is there any technique that i set session time out for public users like 3 days(just asking),so infinite session time out didn't effect my site?

Also suppose user is login and then suddenly closed the browser. Closing browser close the session. Now when you open your browser then you get a message that your session has expire. I want to ask when you open a browser can i use this check

Code:

    if (httpServletRequest.getRequestedSessionId() != null && !httpServletRequest.isRequestedSessionIdValid()) {

         System.out.println("Session has expired");
         
         if (session.isNew()) {

              /**
                * getSession() (or, equivalently, getSession(true)) creates a new session if no
                * session already exists.
                */
               session = httpServletRequest.getSession(true);
               session.setAttribute("logedin", "0");    // public user

               filterChain.doFilter(httpServletRequest, httpServletResponse);

         } else {

                session = httpServletRequest.getSession(true);
                session.setAttribute("logedin", "0");    // public user

                 //httpServletResponse.sendRedirect("http://www.google.com");
                 httpServletResponse.sendRedirect(timeoutPage);

          }
             
    }

I seud isNew() check because i want to do that if user is entering your site first time, like open his browser, then he didn't see the redirection message although his session has been exppire because of closing browser.

Thanks

[Xeel]

1. One approach would be to use cookies for public users. So if a cookie exists just log the user in automatically. While internal users won't have their cookies and will submit to your session timeout.

2. In other one you could set global session timout to 0 in web.xml. Then use static map for every loged in user setting their respective timers. Write a periodical background submit (small ajax submit would do fine, for ex. a4j: poll) with some reasonable interval to avoid killing the server (5-10 min for ex.). In a PhaseListener catch this ajax request and move the timer for the user it came from, while if the request is not sent from the poll - reset the timer to it's full value. In case the timer runs out manually kill user's session and redirect him/her to some page (login, timeout, etc.). This way has it's big advantage in the level of session control precision and as nice bonus a possibility to kill users' sessions without them touching anything.

The only problem remaining in the approach #2 is the case where user just closes his browser. To manage this one there are 2 options:

a) Somewhere (could be the same PhaseListener) periodically compare the logedin users map against the active sessions list, and if there are any diferences - logoff the users for sessions that do not appear in this list. This is highly recommended because as IE loses the session after the browser is closed, Firefox/Safari/Opera/etc. keep it saved instead.
b) Combine with the first approach: manage cookies. Create/delete cookie every time a user is logged in/off with his browser active. So if a user closes his browser, the cookie remains, in this case automatically log him in resetting his timer.

Though the second approach I would recommend only for administrative applications that require high levels of security.

Hope this helps

[Basit35]

Thanks Xeel. One thing, you didn't answer my question... Can session timeout -1 harm your application?
You said

Then use static map for every loged in user setting their respective timers. Write a periodical background submit (small ajax submit would do fine, for ex. a4j: poll) with some reasonable interval to avoid killing the server (5-10 min for ex.).

How can i set timers for respective user. Whenever my user log in then my this method called . Also is periodical background mean , background thread? Can you provide some dummy code how can i use ajax for periodical background submit with some reasonable interval?

Code:

public String validUser() throws Exception {
        String returnString = null;
    
        ArrayList2d<Object> mainarray = new ArrayList2d<Object>();
        mainarray.addRow();
        mainarray.add(ConnectionUtil.replace(userName));
        mainarray.add(ConnectionUtil.replace(password));

        busBeans.usermanagement.users um = new busBeans.usermanagement.users();
        ArrayList retrieveList = um.getValidUser(mainarray);    //database check for  user
        if (Integer.parseInt(retrieveList.get(0).toString()) == 0) {
            ArrayList str = (ArrayList) retrieveList.get(1);

            FacesContext facesContext = FacesContext.getCurrentInstance();
            ExternalContext externalContext = facesContext.getExternalContext();

            //getSession(false), which returns null if no session already exists for the current client.
            HttpSession session = (HttpSession) externalContext.getSession(false);


            if (session == null) {

                //create session

            } else {

                // print session attributes

            }

            logedin = true;

            //Set session attributes for login users
            session.setAttribute("logedin", "1");   // registered user
            session.setAttribute("firstLastName", str.get(7).toString());
            session.setAttribute("getusercredentials", str);
            session.setAttribute("sessionUserId", str.get(0).toString());
            session.setAttribute("sessionRoleId", str.get(1).toString());
            session.setAttribute("registeredUser", "true");

            /**
             * set session timeout for login user
             * 1 min = 60 sec
             * 30 min = 60 * 1800 sec = 1800 sec
             */
            session.setMaxInactiveInterval(1800);

            firstLastName = session.getAttribute("firstLastName").toString();

        return returnString = null;

    } //end of  validUser()

Thanks