session and performance

Q:

My team leader tell me to increase the time of session to one hour , to give the users the chance to work on their data, when i tell him about the performance , and this will be a load over the web server , he reply me what about Facebook or hotmail , or ...etc these sites don't sign out unless u log out by yourself..then he think that these sites give the session unlimited time.

i don'开发者_JAVA技巧t know we have a lot of users who will use the site concurrently, what is the best solution?

and if i can do that how to increase the session time.

Depends on how your site are builded up, i would prefer a ajax or some sort of auto-reload function. Facebook and sites like that are not screw up the session timeout to 3 hours. They check if the client is still there. If no answer, they are disconnected immedietly.

How much drawback your site are suffering of highing the session limit it fully depends on the amount of concurrent users and how much info you put into each session (and of course the server resources available).

What does system load have to do with the duration of a session? Answer: Nothing.

You may have more entries in the session table of the database that are otherwise expired (but only if you have a mechanism to remove expired session entries from the DB), but so what? The DB doesn't care.

Also, what other answers don't ask?, is session duration time since LOGIN or time since LAST ACTION?

Increasing session , do not hit the performance, but might create a security loophole for your app. Say in case if you have extended it to 3 hrs and some lazy users instead of logging out , just closed the page. If the next user comes and hit the same url then he wil land into the earlier ones bay.

A common example , Take a case, you visit a cafe, where guys are orkutting , going thru mails etc. Say the guy before you was accessing orkut, and without proper login, he just closes the page. Now what you did , you want to access your account. You hit www.orkut.com, what you will come across is , the earlier guys profile.

But note, Google is now using HTTPS even for search, so these things might not work. Earlier they happened a lot , even with me... :-).. https://encrypted.google.com/

Note :- Loading lots of Data in Session , degrads performance... also Session is a big evil So handle it carefully.

• Enable Sliding Expiration for Session instead of changing the session timeout.
• Try to minimize the Session Data .. Use other options like Cache/Cookies whereever possible
• Store your session Data in SQL Server for load balanced scenarios

how to set your session timeout : How to set session timeout in web.config

other than that session timeout has almost nothing to do with concurrency.