Hi,
I'm implementing a web app, which uses sessions. I'm using GWT and app engine as my client/server, but I don't think they're doing anything really different than I would do with PHP and apache etc.
When a user logs into my web app, I am using HttpSession to start a session for them. I get the session id like this:
// From my login servlet:
getThreadLocalRequest().getSession(false).getId();
I return the sessionId back to the client, and they store it in a cookie. The tutorial I'm using sets this cookie to 'expire' in two weeks:
Cookie.write("sid", theSessionId, 1000 * 60 * 60 * 24 * 14); // two weeks
Here's where I'm confused: if the cookie expires in two weeks, then my user will go along using the webapp happily, only to one day browse to my site and be shown a login screen. What are my options? Can I just set no expiration time for this cookie? That way the user would have to explicitly log out, otherwise they could just use the app forever without having to log back in?
Or is there a better way to do this? I can't remember sites like Twitter having ever asked me to log back in again. I seem to be permanently logged in. Do they just set no expiration?
The webapp isn't protecting any sort of highly sensitive data, so I don't mind leaving a cookie that doesn't expire, but it seems like there must be a better way?
This is the tutorial I'm referencing:
http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ
Thanks