3 Replies - 629 Views - Last Post: 22 November 2017 - 03:41 PM

#1 Skydiver   User is offline

  • Code herder
  • member icon

Reputation: 7141
  • View blog
  • Posts: 24,251
  • Joined: 05-May 12

Getting into the Java mindset: Web application sessions

Posted 21 November 2017 - 03:44 PM

As many of you know, I only dabble in Java because I'm forced to do it occasionally at work. I don't have any formal training in Java and everything I've learned is self-taught or picked up through tutorials that are geared towards getting to a particular goal/task at hand.

I'm trying to understand why Java based web applications seem to have some kind of a hard deadline for when a web session state ends. Oracle Web Center's Portals and Sites products wants to timeout a session after a few minutes. PeopleSoft wants to time out a session. Atlassian's various offerings want to timeout a session. Once the session ends, often a message comes up indicating that the session has ended, and you need to log back on again.

This has me confused coming from the Windows/ASP.NET side of the world. Using ASP.NET based applications seem to be seamless when using IE (and also Chrome with automatic authentication enabled). ASP.NET apps don't make a big deal about a session having timed out. If the session times out, simply hit the site again and things just work.

When I tried asking the Java devs in my team regarding this, they explained that sessions take up memory. So it's important to close down sessions and free up that memory. I countered that sessions in ASP.NET web sessions also take up memory and it doesn't seem to be an overriding concern for an ASP.NET developer to make sure that a session is ended as soon as possible to free up memory. Crickets was the response. So I tried taking a different tack: For most farm environments, the session state handling is often offloaded to a session state server that uses either a database, memory cache, or some combination there of. So any memory concerns of the application is now reduced to a single handle or session id. Any bigger memory hits will be on the session state server. The response I get back is that it's bad to leave stale data with the session state server and that the application MUST close out the session.

I just don't get it. But I do want to understand. I'd like to be able to get into that mindset that has that "must close the session" compulsion. Is there a particular assignment or project that all Java developers have to do while formally learning the language that enforces this idea of having to close everything? Is there a must read whitepaper or article that every Java developer refers to? Why does this compulsion to close web sessions not translate over to compulsions to close files and streams (of which I tend to see many examples of even in "production" code)?

Or is all this a product of the original environments in which these technologies were developed? On Windows, unless you have draconian security policies at your work place, you log into you PC and never log out, while on *nix systems, of course you log in, and then you log out or get logged out if the session is idle too long?

Is This A Good Question/Topic? 0
  • +

Replies To: Getting into the Java mindset: Web application sessions

#2 modi123_1   User is offline

  • Suitor #2
  • member icon



Reputation: 15363
  • View blog
  • Posts: 61,613
  • Joined: 12-June 08

Re: Getting into the Java mindset: Web application sessions

Posted 21 November 2017 - 03:57 PM

I wonder if it is an issue of Java getting sessions hijacked and exploited back in the day.
Was This Post Helpful? 0
  • +
  • -

#3 Skydiver   User is offline

  • Code herder
  • member icon

Reputation: 7141
  • View blog
  • Posts: 24,251
  • Joined: 05-May 12

Re: Getting into the Java mindset: Web application sessions

Posted 22 November 2017 - 11:49 AM

If that's true, I wonder why C/C++ programmers didn't learn from buffer overflows. :)
Was This Post Helpful? 0
  • +
  • -

#4 Skydiver   User is offline

  • Code herder
  • member icon

Reputation: 7141
  • View blog
  • Posts: 24,251
  • Joined: 05-May 12

Re: Getting into the Java mindset: Web application sessions

Posted 22 November 2017 - 03:41 PM

Okay, I found an ASP.NET based application that is equally as paranoid about sessions: SolarWinds Server & Application Monitor . No seamless login when the session expires.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1