Impact of long session timeout value

I was always a bit hazy on how sessions behaved back to CF8 days. I was
wondering, what are the negative impacts of having long session times? Say
for example we set the session timeout to 60 minutes. If someone accesses a
page in the application, then immediately shuts their browser off I’m
guessing at least any session variables that were allocated would remain
for the duration of the 60 mins. Would it also lock any worker processes
as well? Our specific setup is IIS -> Tomcat -> Lucee.

It’s just an impact on memory usage - no locking or worker thread issues.
We run 60min in production and routinely clock 14000 sessions. (Across
numerous instances)

-GOn Thu, Mar 2, 2017 at 1:18 PM Jonathan Brookins <@Jonathan_Brookins> wrote:

I was always a bit hazy on how sessions behaved back to CF8 days. I was
wondering, what are the negative impacts of having long session times? Say
for example we set the session timeout to 60 minutes. If someone accesses a
page in the application, then immediately shuts their browser off I’m
guessing at least any session variables that were allocated would remain
for the duration of the 60 mins. Would it also lock any worker processes
as well? Our specific setup is IIS -> Tomcat -> Lucee.


You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/bbfdfc8b-7d9e-4aaf-866e-d172987e61e7%40googlegroups.com
https://groups.google.com/d/msgid/lucee/bbfdfc8b-7d9e-4aaf-866e-d172987e61e7%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

Hi Jonathan,

I think it really comes down to what you are storing in the session, and
how much memory is available. We typically only store a user_id in the
session, then get their user data when we need it. What I think becomes a
much bigger problem is if you are creating sessions for each spider that
happens to hit your app. We were running into problems on one app, and
when I checked how many active sessions there were it numbered in the 10s
of thousands. Only about 40 of these sessions were ‘live’ users. What we
ended up doing was to set a cookie on login, and then check for the cookie
existence in app.cfc. If the cookie exists, set the session timeout to 2
hours, if not set the session timeout to 10 seconds (or just disable
sessionmanagement). This seemed to do the trick (I think this is the
article
http://www.carehart.org/blog/client/index.cfm/2006/10/4/bots_and_spiders_and_poor_CF_performance
on Charlie Arehart’s site that gets credit).

if (structkeyExists(cookie,‘loggedin’))
this.sessiontimeout = CreateTimeSpan(0,2,0,0);
else
this.sessiontimeout = CreateTimeSpan(0,0,0,10);

SethOn Thu, Mar 2, 2017 at 11:18 AM, Jonathan Brookins <@Jonathan_Brookins> wrote:

I was always a bit hazy on how sessions behaved back to CF8 days. I was
wondering, what are the negative impacts of having long session times? Say
for example we set the session timeout to 60 minutes. If someone accesses a
page in the application, then immediately shuts their browser off I’m
guessing at least any session variables that were allocated would remain
for the duration of the 60 mins. Would it also lock any worker processes
as well? Our specific setup is IIS -> Tomcat -> Lucee.


You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/ms
gid/lucee/bbfdfc8b-7d9e-4aaf-866e-d172987e61e7%40googlegroups.com
https://groups.google.com/d/msgid/lucee/bbfdfc8b-7d9e-4aaf-866e-d172987e61e7%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.