I'm writing my SPring MVC web application.
I have set my session time out to be 10080 minutes equal to 1 week. Now I would like to keep user logged in every time he open browser:
sessionService.setcurrentUser(myuser);
HttpSes开发者_C百科sion session = request.getSession();
Cookie cookie = new Cookie("JSESSIONID", session.getId());
cookie.setMaxAge(timeout);
response.addCookie(cookie);
Should my cookie Max Age be the same as session time out?
cookie.setMaxAge(10080);
Is it good practice?
You should configure it in web.xml
, not by hacking the default session cookie.
<session-config>
<session-timeout>10080</session-timeout>
</session-config>
Note that you shouldn't store too much data in session and/or that your server has enough memory.
The following posts contain interesting information.
As far as good practice goes you probably have two things to consider:
- Security aspect of leaving a the session active for a long period of time.
- Memory implications, your session will be serialized and you want to keep it to a minimum. Especially if the amount of users could grow drastically.
Discussion 1
Discussion 2
Discussion 3
You use cookies to refer to your session id. If the timeout of the cookie is lower than the session, it will not find your session anymore. So setting your timeout of your cookie to at least the timeout of your session is advisable.
精彩评论