Coding Horror: Your Session Has Timed Out - The Diigo Meta page

• 29 Dec 09
  

  Ivari Horm

  How many times have you returned to your web browser to be greeted by this unpleasant little notification:
  
  Your session has timed out. Please sign in again.
  

  programming networking

  • So why does the server choose to arbitrarily forget about you in an  hour?  

     

     
    1. Performance. Consider a highly trafficked web site. If the website  tried to keep sessions alive for an entire month, that could cause the session  table to grow to millions of records. It's even worse if you think about it in  terms of user information cached in memory; a measly few kilobytes of memory  state per user doesn't sound like much, but multiplied by a few million, it  absolutely is. If this data wasn't expired and dumped on some schedule, it would  quickly blow up the web server.  
        
    2. Security. The magic cookie that stores  your session can potentially be stolen. If that cookie never expires, you have  an infinitely long vulnerability window to session hijacking.  This is serious stuff, and mitigation strategies are limited.  The best option, short of encrypting the entire connection from end to end via  HTTPS, is to keep a tight expiration window on the session cookie, and  regenerate them frequently.

  • Here's what I suggest:  

     

     
    1. Create a background JavaScript process in the browser that sends regular  heartbeats to the server. Regenerate a new cookie with timed expiration,  say, every 5 or 10 minutes.  
        
    2. If you're worried about session hijacking -- and you really  should be -- use a HTTPS protected connection. This is an absolute  no-brainer for financial institutions of any kind.
• 21 Apr 08
  

  craig hancock

  session security usability JavaScript web performance ajax programming read tech time webdev work webdesign toread 2008 tips asp.net cookies Geek design delicious

• 18 Apr 08
  

  Mike Barone

  webdev toread from:del.icio.us

• 17 Apr 08
  

  Gubbe Sue

  session timeout delicious

• 16 Apr 08
  

  alfred westerveld

  horror programming timed session

• 

  Daniel Andrlik

  This is an interesting post by Jeff Atwood on how programmers should handle session expiration in their applications. I particularly like his explanation of why session expiration occurs:
  
  "The HTTP protocol that the web is built on is stateless. That means every individual request your browser sends to a web server is a newborn babe, cruelly born into a world that is utterly and completely oblivious to its existence." :-)

  programming development http security

  • The HTTP protocol that the web is built on is stateless. That means every individual request your browser sends to a web server is a newborn babe, cruelly born into a world that is utterly and completely oblivious to its existence.

Would you like to comment?

Join Diigo for a free account, or sign in if you are already a member.