session timeout 0: possible memory leak?

StackOverflow https://stackoverflow.com/questions/21623128

Question

Is it good practise to set the session-timeout in web.xml to 0?

Isn't it possible memory leak if user just close the browser without logout?

I've tried to analyze memory heap using MAT, but I didn't found anything regarding session container, but I'm still not sure

Was it helpful?

Solution

IMHO it is a bad practice.

i think this isn't a memory 'leak' in strict meaning, but may lead to memory saturation.

however this will happen if you have

  • a small amount of memory
  • heavy session objects
  • many users
  • container that does not serialize sessions

but if one or more of these conditions are not met, preserving sessions should not be a problem, on memory profile.

i think the worst issue is, instead, on security profile.

session stealing techniques are very effective in this scenario: an attacker can use a stolen session days after the theft.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top