Return to Jive Software

Up to Discussions in Support

This Question is Possibly Answered

1 "correct" answer available (4 pts) 1 "helpful" answer available (2 pts)
2,609 Views 11 Replies Last post: Sep 10, 2009 8:49 AM by John Chambers RSS
saidimu apale Novice
saidimu apale
8 posts since
Mar 6, 2008
Currently Being Moderated

Jan 22, 2009 7:58 AM

Session timeout values: what are the implications?

  • ... of setting it too high? What would that be exactly?
  • ... of setting it too too low?
  • Any reasons why the default is as it is?
Tags: security, usability, session, timeout, session_timeout
Vinh Jive Employee
Vinh
12,343 posts since
Apr 1, 2008
Currently Being Moderated
Jan 22, 2009 10:29 AM in response to: saidimu apale
Re: Session timeout values: what are the implications?

The session timeout value is set by the application server. Tomcat's default is 60 minutes, but you can set it higher or lower if you'd like. A higher timeout value would allow users to stay logged in longer with 'idle activity' (i.e. not visiting any links). This is useful for users who spend a very long time working on a document or a blog post without saving their draft.

saidimu apale Novice
saidimu apale
8 posts since
Mar 6, 2008
Currently Being Moderated
Jan 23, 2009 12:33 AM in response to: Vinh
Re: Session timeout values: what are the implications?

So then, is it advisable to set it to as high a value as say, 8 hrs (a working day), without any performance/security downsides?

 

I find it a mild annoyance, and possible a hinderance for some, when one has to constantly re-login.

Vinh Jive Employee
Vinh
12,343 posts since
Apr 1, 2008
Currently Being Moderated
Jan 23, 2009 8:21 AM in response to: saidimu apale
Re: Session timeout values: what are the implications?

I don't know of anyone that has it set to 8 hours, but we have some users that have set it to 3 - 5 hours and haven't experienced any issues.

nhamar Novice
nhamar
244 posts since
Feb 3, 2009
Currently Being Moderated
Feb 13, 2009 10:22 AM in response to: Vinh
Re: Session timeout values: what are the implications?

Hey Vinh,

 

Can you tell me how to adjust Tomcat's timeout settings?

 

Thank you very much,

nathan

Vinh Jive Employee
Vinh
12,343 posts since
Apr 1, 2008
Currently Being Moderated
Feb 13, 2009 10:55 AM in response to: nhamar
Re: Session timeout values: what are the implications?

There is a session-config property in your web.xml that you can set. You'll want to consult the Tomcat documentation for more details.

vinunes Novice
vinunes
4 posts since
Jul 28, 2008
Currently Being Moderated
May 7, 2009 4:23 PM in response to: Vinh
Re: Session timeout values: what are the implications?

Vihn,

Reading through the Tomcat docs suggest that the session max value is 60 minutes. 

 

A google search on the topic lead me to http://edocs.bea.com/wls/docs61/webapp/web_xml.html#1017356

where it mentions two special values.

I realize the link and table below is for weblogic.  Is there a corolary to Special Value -2 and a TimeoutSecs option?

 

 

session-config Element#

#The session-config element defines the session parameters for this Web Application.

#The following table describes the element you can define within a session-config element.

#Element

#Required/
Optional

#Description

#<session-timeout>

#Optional

#The number of minutes after   which sessions in this Web Application expire. The value set in this element   overrides the value set in the TimeoutSecs parameter of the <session-descriptor> element in the WebLogic-specific   deployment descriptor weblogic.xml, unless   one of the special values listed here is entered.

#Default value: -2

#Maximum value:   Integer.MAX_VALUE ÷ 60

#Special values:

  • #-2 = Use the        value set by TimeoutSecs in <session-descriptor> element of weblogic.xml#
  • -1 =        Sessions do not timeout. The value set in <session-descriptor> element of weblogic.xml is ignored.

#For more information, see session-descriptor Element.

John Macioci Novice
John Macioci
120 posts since
Jul 8, 2008
Currently Being Moderated
Sep 8, 2009 9:35 AM in response to: Vinh
Re: Session timeout values: what are the implications?

Hey Vinh, I saw your reply to session timeouts and I'd like to know what the implications are if this is set to a high number, say 8-10 hours. Can you explain the correlation between a high session time-out and memory utilization ? Also, is there a place where I can read how user sessions are implemented (e.g. sessions, tokens, cookies, etc) ?

 

We have a raging debate with our user community on session timeouts. Many would like their Jive experience to be the same as other social sites which seem to have no session timeouts.

 

Thanks !

Vinh Jive Employee
Vinh
12,343 posts since
Apr 1, 2008
Currently Being Moderated
Sep 8, 2009 9:55 AM in response to: John Macioci
Re: Session timeout values: what are the implications?

There is no known correlation with high memory utilzation or memory leaks with a high session time-out. We have a number of customers that have their sessions set to 5 to 10 hours and we have not seen any adverse effects.

 

Can't these users use the remember me function when they log in? That would keep their session for two weeks.

 

Thanks,

Vinh

John Macioci Novice
John Macioci
120 posts since
Jul 8, 2008
Currently Being Moderated
Sep 8, 2009 10:07 AM in response to: Vinh
Re: Session timeout values: what are the implications?

Thank you Vinh. How does "remember me" work? Does it use cookies ? We currently have "remember me" disabled.

 

Can you help me understand sessions a little better ?

Vinh Jive Employee
Vinh
12,343 posts since
Apr 1, 2008
Currently Being Moderated
Sep 9, 2009 4:47 PM in response to: John Macioci
Re: Session timeout values: what are the implications?

We use Acegi for Remember Me and it's leveraged as a cookie.

 

The session is handled by the application server. Given that the RPM uses Tomcat, here's a brief explanation on how session works with Tomcat.

John Chambers Novice
John Chambers
14 posts since
Oct 28, 2008
Currently Being Moderated
Sep 10, 2009 8:49 AM in response to: Vinh
Re: Session timeout values: what are the implications?

Vinh,

 

I noted the following in Chapter 21 of the "Professional Apache Tomcat 6" book that you referenced:

 

The development time issues relate to how the Java code for the Web application was designed and implemented. Again, there is a whole set of implementation best practices surrounding this area such as:
- Do not create sessions for JSPs if they are not required
- Do not store large objects in your session
- Time out sessions quickly, and invalidate your sessions when you are done with them
- Use the right scope for objects
etc...

 

The majority of my experience is with WebSphere Application servers, and typically session object size and number of session objects are metrics we monitor to assure a responsive, stable system.  We have found that the value of session timeout is a parameter that can dramatically effect the number of session objects the server must manage.  We typically follow vendor guidelines for session timeout value (30 minutes or less).

 

I am really interested to know more as why large session timeout values in Jive / Tomcat are not a concern.

More Like This

  • Retrieving data ...

Incoming Links

Bookmarked By (0)

To better serve our customers we have included functionality to automatically follow up on a case after it has been idle for more than 5 days, and then auto close after an additional 3 days of inactivity. Choose No to acknowledge that this case will remain idle for longer than 5 days.
Making cases public allows other customers to learn from the solution of the case. It can also be used to gain feedback from others in the community. Ask our Support Engineers for more info, but we encourage you to make your cases public.