Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How long do you keep session cookies around for?

I'm implementing a web app, which uses sessions. I'm using GWT and app engine as my client/server, but I don't think they're doing anything really different than I would do with PHP and apache etc.

When a user logs into my web app, I am using HttpSession to start a session for them. I get the session id like this:

// From my login servlet:
getThreadLocalRequest().getSession(false).getId();

I return the sessionId back to the client, and they store it in a cookie. The tutorial I'm using sets this cookie to 'expire' in two weeks:

Cookie.write("sid", theSessionId, 1000 * 60 * 60 * 24 * 14); // two weeks

Here's where I'm confused: if the cookie expires in two weeks, then my user will go along using the webapp happily, only to one day browse to my site and be shown a login screen. What are my options? Can I just set no expiration time for this cookie? That way the user would have to explicitly log out, otherwise they could just use the app forever without having to log back in?

Or is there a better way to do this? I can't remember sites like Twitter having ever asked me to log back in again. I seem to be permanently logged in. Do they just set no expiration?

The webapp isn't protecting any sort of highly sensitive data, so I don't mind leaving a cookie that doesn't expire, but it seems like there must be a better way?

This is the tutorial I'm referencing:

http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ

Thanks

like image 944
user246114 Avatar asked Oct 25 '22 16:10

user246114


1 Answers

The HttpSession is behind the scenes already backed by a cookie. Check the browser cookie list for the one with the name jsessionid. Further, when obtaining an instance, you should call getSession() without the false, else you may risk a NullPointerException when it isn't created yet and thus will return null.

When you do a login, you usually put the logged in User in the session.

User user = userDAO.find(username, password);
if (user != null) {
    session.setAttribute("user", user);
} else {
    // Handle error "Unknown username/password combo."
}

You can let your webapplication intercept on the logged in User by just checking its presence in the session. For example in a Filter which you'd like to use to block secured pages.

if (session.getAttribute("user") == null) {
    response.sendRedirect("login"); 
} else {
    chain.doFilter(request, response);
}

The HttpSession has in most webcontainers a default timeout of 30 minutes. In other words, it will expire 30 minutes after the last request. This is configureable in web.xml as follows:

<session-config>
    <session-timeout>10</session-timeout>
</session-config>

Where the timeout is in minutes (thus 10 minutes in the above example).

If you'd like to provide a (automatic) "Remember me on this computer" option, then you have to create another cookie with another identifier. I've posted previously an answer which goes in detail about that: Java - How do I keep a user logged into my site for months?

like image 60
BalusC Avatar answered Nov 23 '22 21:11

BalusC