What do you all think?
views:
287answers:
5
A:
Do you mean on a per user basis or for the whole application?
Per user, the question depends on what the purpose of the web application is. If it's something like an online banking site, you could reasonable decide to only allow a single session per user for security. But if your app can already handle more than one session per user, it doesn't seem to make much sense to set an arbitrary limit.
On a per application basis, it doesn't really make much sense to set an arbitrary limit either unless you know it breaks down after a certain number of sessions for some reason.
Ryan
2009-04-01 16:03:00
A:
No.
Your application can be shut down for everyone for your entire session timeout (say 20 minutes), by a simple bot starting max sessions.
krosenvold
2009-04-01 16:15:47
A:
Depends. Are you running in an environment where system resources are sufficiently scarce that you risk exhausting them by session use?
Kalium
2009-04-01 16:20:07
A:
I assume you are talking about limiting same account for multiple sessions, otherwise ignore this :)
Depends, if it's high security application yes, this can avoid Session Hijacking issues (can be carried out many ways such XSS) as well as might help users to spot their account has been stolen and used by someone else.
In a normal web application which doesn't require high security, No. It's plain irritating.
dr. evil
2009-04-01 16:23:13