Registreren

Sessions

A session defined by wikipedia: 

"In computer science, in particular networking, a session is a semi-permanent interactive information interchange between two or more communicating devices, or between a computer and user (see login session). A session is established at a certain point in time, and then torn down at some later point."

 So in our words a session is a state maintained at the server. It tracks all your actions with the server. It ensures your actions are not mixed with actions from other users.

A session contains the current user. 

Start of a session

A session is created on the first request from a browser sent to the server. The browser will receive a session cookie (JSESSIONID) from the server. Each sequential request sent by the browser will contain a session cookie for the server to indicate the session.

End of a session

Ways to end a session

  • No session cookie
    If a browser does not send the session cookie with a request the server will generate and start a new session.
    If a user was logged on the user will then get a fresh not logged on session with no trace to the old session whatsoever. Can happen if you send a request after you closed en reopend your browser

  • IP change
    Can happen when you use a mobile device or use public wifi hotspots. Your browser still sends the correct session cookie to the server. If the allow roaming property in the usergroup is disabled the current session will be invalidated. If roaming is allowed the session will keep on going.

  • Log out
    If you log out your current session will be invalidated for security reasons. Your next request will result into a new fresh anonymous session.

  • Session time-out
    A session has an expiry or session time-out. This means if the server does not receive a request within a certain time after the last request the session will be invalidated. The next request after a time-out will result into a new fresh anonymous session.

Session time-out time is by default 30 minutes. Max 4 hours. Adjustable per usergroup.

Session time considerations and limits

Our advise is to keep the session times as short as possible.
The longer a session is alive the more it is prone to security risks. For example if your session time is 4 hours the risk someone can use your session while you went out for a coffee is huge, A short session time will limit such risks.

A long session can also be considered as a performance risk. If each new session is a 4 hour session it will be alive 4 hours at the server and will use computer resources for 4 hours. Even when they close their browsers the session will remain for 4 hours!

Keep alive option

Sometimes people need to have a longer session time since they might edit long texts. Or fill in long forms like reviews and so. You can choose to give that specific user group a long session time. 

If the amount of users part of this usergroup is limited then this might be a good choice. But when the amount of users is larger this may result into performance issues and many unnecessary unsed open sessions.  Even when they close their browsers the sessions will remain for a long time!

A better option is then to use the keep alive. At the usergroup set the session time out to a shorter period like 30 minutes. A session will main active until 30 minutes of inactivity. To extend that time for open browser we added the keep alive option. 
If you enabled a specific usergroup with the keep alive option the engine will send a "keep alive" request to the server every 5 minutes. After each "keep alive" request the session time is extended with 5 minutes. 
When the browser is closed the "keep alive" request will also stopped being send and the session will be invalidated after the session time (in this case after 30 minutes).

To enable keep alive request on non standard pages you need to add the following:

<script>
    CX.startStayAlive(300)
</script>