tags:

views:

44

answers:

3
Q: 

Force a session to time out every 6h hours

A marketing guy came to me with a request to time out the session every 6 hours regardless of the user activity on the site.

I understand that if the user leaves his computer for a certain period of time (Set right now to 30 minutes) the session should time out, but forcing a user to log in after a certain period of time just doesn't make sense to me

His reason is that if a person is logged in for 6h on the site, it is most likely a bot.

Is this a valid request ?

-ken

+2  A: 

That seems like a very arbitrary and ineffective way to decide when to kill sessions. The only effective way for spotting a bot that I can think of is tracking the path of each session to identify whether the activity is suspicious, but even this would be a waste of time. I would say that is in an invalid request, or at the very least an invalid approach.

OWASP is becoming the industry standard on security. Here is the session management link for further advice: http://www.owasp.org/index.php/Session_Management

DJ Quimby  2010-10-06 18:03:46
A: 

Best practice to my opinion is what facebook.com do if you seems suspicious to application. It would show you a page with some people and ask you to say which are your friends in a short period of time. The lesson is to use some business (your website activity) related control for finding out the bot. Logical solutions are always better than simply technical solutions. That's why I didn't advise for something like using CAPTCHA, generating random Id and name for HTML elements everytime a page is generated and ...

Xaqron  2010-10-06 20:10:43
A: 

To close the session regardless the user activity, use a SessionListener and record a timestamp when the session is created as a session attribute.

Then use a (Request) Filter to check that the current time is less than 6 hours plus the initial recorded timestamp. If not, session.invalidate().

To force reloading the page after 21600 seconds (don't use this alone, always close the session in the server if you're going to do this, since this runs in the client browser):

<meta http-equiv="refresh" content="21600">

Is this a valid request ?

Of course, marketing guys always issue valid requests.

Regards.

mrrtnn  2010-10-07 23:41:57

related questions

What is the best architecture to bridge to XMPP?
How to expose a collection property?
How do you build a ratings implementation?
Alternative "architectural" approaches to javaScript client code?
Split data access class into reader and writer or combine them?
Guide to choosing between REST vs SOAP services?
Best architecture for handling file system changes?
Globalization architecture
How Did You Decide Between WISA and LAMP?
Best Blogs for Software Architecture
Experience documentation about Shared Nothing Architecture
Agile architectures
VS.NET Application Diagrams
Documenting program architecture
Books for software architect
How do you do system integration?
Design debate: what are good ways to store and manipulate versioned objects?
Passing more parameters in C function pointers
Send messages to program through command line
Interfaces on different logic layers
How to structure a java application, in other words: where do I put my classes?
Are there any negative reasons to use an N-Tier solution?
Linux - files and scripts that execute on boot
Good STL-like library for C.
Best way to allow plugins for a PHP application