Impact of long session timeout value

[Jonathan Brookins]

I was always a bit hazy on how sessions behaved back to CF8 days.  I was wondering, what are the negative impacts of having long session times?  Say for example we set the session timeout to 60 minutes. If someone accesses a page in the application, then immediately shuts their browser off I'm guessing at least any session variables that were allocated would remain for the duration of the 60 mins.  Would it also lock any worker processes as well?  Our specific setup is IIS -> Tomcat -> Lucee.

[Joseph Gooch]

It's just an impact on memory usage - no locking or worker thread issues.  We run 60min in production and routinely clock 14000 sessions. (Across numerous instances)

-G

On Thu, Mar 2, 2017 at 1:18 PM Jonathan Brookins <jon.br...@gmail.com> wrote:

I was always a bit hazy on how sessions behaved back to CF8 days.  I was wondering, what are the negative impacts of having long session times?  Say for example we set the session timeout to 60 minutes. If someone accesses a page in the application, then immediately shuts their browser off I'm guessing at least any session variables that were allocated would remain for the duration of the 60 mins.  Would it also lock any worker processes as well?  Our specific setup is IIS -> Tomcat -> Lucee.

--
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/bbfdfc8b-7d9e-4aaf-866e-d172987e61e7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Seth Johnson]

Hi Jonathan,

I think it really comes down to what you are storing in the session, and how much memory is available.  We typically only store a user_id in the session, then get their user data when we need it.  What I think becomes a much bigger problem is if you are creating sessions for each spider that happens to hit your app.  We were running into problems on one app, and when I checked how many active sessions there were it numbered in the 10s of thousands.  Only about 40 of these sessions were 'live' users.  What we ended up doing was to set a cookie on login, and then check for the cookie existence in app.cfc.  If the cookie exists, set the session timeout to 2 hours, if not set the session timeout to 10 seconds (or just disable sessionmanagement).  This seemed to do the trick (I think this is the article on Charlie Arehart's site that gets credit).

if (structkeyExists(cookie,'loggedin'))

this.sessiontimeout = CreateTimeSpan(0,2,0,0);

else

this.sessiontimeout = CreateTimeSpan(0,0,0,10);

Seth

On Thu, Mar 2, 2017 at 11:18 AM, Jonathan Brookins <jon.br...@gmail.com> wrote:

I was always a bit hazy on how sessions behaved back to CF8 days.  I was wondering, what are the negative impacts of having long session times?  Say for example we set the session timeout to 60 minutes. If someone accesses a page in the application, then immediately shuts their browser off I'm guessing at least any session variables that were allocated would remain for the duration of the 60 mins.  Would it also lock any worker processes as well?  Our specific setup is IIS -> Tomcat -> Lucee.

--

You received this message because you are subscribed to the Google Groups "Lucee" group.

To unsubscribe from this group and stop receiving emails from it, send an email to lucee+unsubscribe@googlegroups.com.