thank u all, so it's obvious that infinite session timeout is a very
very bad idea, and well the scenario explained by William F. Robertson
is exactly the scenario that i was affraid of.
a question for Aidan Marcuss:
i thought that the session timeout is always sliding. isn't that right ?
and if no how can i do that?
it seems that i wasn't very clear in my explanation before:
1- I m using form validation (username and passwords are in a database)
2- I use sessions not only to keep track of the user but also to save
info and variables required for the web app.
and the session timeout was 20 mins
and all was fine.
Now the client wanted to add a feature where the user can login
automatically (if he wants to).
so:
1- i used cookies to recognise users and the automatic login was
accomplished succesfully.
2- originaly the session timeout was designed for security reasons (at
least this is what i think), i.e if a user forgot the browser open the
session timeout will disallow another person to enter the site from the
browser.
3-this session timeout is no longer needed since anyone can logon
automatically to the site if a user cookie resides in the client
computer.
4- the sessions are used to save sql statements and other variables, and
the timeout session will reset those variables and all the work of the
user will be lost, this is why I was thinking to have infinite timeout
session
5- Finally, based on the replies, i think the better solution is to make
the session timeout longer for user authenticated automatically ( an
hour, a day...) but not to use an infinite timeout.
*** Sent via Developersdex
http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!