Session expiry

[too_many_details]

I would NOT recommend setting infinite HttpSession times in web.xml. You'll just use up most of your server memory.

If every user of my app needs to be logged in I would need a session per user anyway so I don't see how its going to use more memory?

The only issue i can see is if the user doesn't return to the app (and never logged off). In that case, there is an argument that the session will remain indefinately.

Perhaps a combination might be better? A session timeout of double the time you want (60 mins) and a servlet filter for the actual timeout you want (30 mins).

If the user returns to the app after 30 mins but before 60, your servelt filter will catch that (and invalidate the session).

If the user never comes back or comes back after 60 mins, the web container will invalidate the sesion for you conserving memory.

Cheers

R

[too_many_details]

Hi,

just a quick update - i have upgraded to acegi-security-1.0.0-RC2.jar

and i still get the same stack trace once the server session has expired.

I think i need to do manual session control using filters.

Any thoughts?

Cheers

R