How long do you keep session cookies around for?
I'm implementing a web ap开发者_StackOverflowp, which uses sessions. I'm using GWT and app engine as my client/server, but I don't think they're doing anything really different than I would do with PHP and apache etc.
When a user logs into my web app, I am using HttpSession to start a session for them. I get the session id like this:
// From my login servlet:
getThreadLocalRequest().getSession(false).getId();
I return the sessionId back to the client, and they store it in a cookie. The tutorial I'm using sets this cookie to 'expire' in two weeks:
Cookie.write("sid", theSessionId, 1000 * 60 * 60 * 24 * 14); // two weeks
Here's where I'm confused: if the cookie expires in two weeks, then my user will go along using the webapp happily, only to one day browse to my site and be shown a login screen. What are my options? Can I just set no expiration time for this cookie? That way the user would have to explicitly log out, otherwise they could just use the app forever without having to log back in?
Or is there a better way to do this? I can't remember sites like Twitter having ever asked me to log back in again. I seem to be permanently logged in. Do they just set no expiration?
The webapp isn't protecting any sort of highly sensitive data, so I don't mind leaving a cookie that doesn't expire, but it seems like there must be a better way?
This is the tutorial I'm referencing:
http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ
Thanks
The HttpSession
is behind the scenes already backed by a cookie. Check the browser cookie list for the one with the name jsessionid
. Further, when obtaining an instance, you should call getSession()
without the false
, else you may risk a NullPointerException
when it isn't created yet and thus will return null
.
When you do a login, you usually put the logged in User
in the session.
User user = userDAO.find(username, password);
if (user != null) {
session.setAttribute("user", user);
} else {
// Handle error "Unknown username/password combo."
}
You can let your webapplication intercept on the logged in User
by just checking its presence in the session. For example in a Filter
which you'd like to use to block secured pages.
if (session.getAttribute("user") == null) {
response.sendRedirect("login");
} else {
chain.doFilter(request, response);
}
The HttpSession
has in most webcontainers a default timeout of 30 minutes. In other words, it will expire 30 minutes after the last request. This is configureable in web.xml
as follows:
<session-config>
<session-timeout>10</session-timeout>
</session-config>
Where the timeout is in minutes (thus 10 minutes in the above example).
If you'd like to provide a (automatic) "Remember me on this computer" option, then you have to create another cookie with another identifier. I've posted previously an answer which goes in detail about that: Java - How do I keep a user logged into my site for months?
精彩评论