[Sigia-l] time-out session lengths, security, and user tasks
Listera
listera at rcn.com
Mon Nov 11 18:43:51 EST 2002
"Peter Merholz" wrote:
> In my ideal world, there would be no session timeouts.
If you have a very busy site, with a very large number of users, the server
would be overburdened with the task of keeping so much session info alive.
Keeping them in live memory would mean that RAM needs to be allocated and if
there's a crash, all the info is lost. Keeping them in a DB would mean
frequent trips to the DB, thereby reducing efficiency of the DB pipe.
Writing them to disk would mean slow disk I/O. Keeping them in cookies would
mean frequent parsing, re-writing, etc. So if the user numbers are high,
this becomes a considerable issue.
> Can you ask the security folks to give a good reason for a session timeout?
Not all decisions made by technical/security folks are daft. Sometimes there
are good reasons. The problem arises when folks look for "industry
standards" and magic numbers, etc.
Best,
Ziya
More information about the Sigia-l
mailing list