Should server side timeout be implemented?
Question
I am building a java + angularjs application. I have implemented session timeout at client side, which sends a request to server to expire session token if there is no activity by the user for 30 minutes.
Should the timeout also be present separately at server side ie if the connection to server has not been closed for say 5 hours or one day, automatically expire the session token on the server side and log the user out by sending a 401?
Another case that comes to mind is that if I am using the API separately with some other application, should my API never timeout? Or should it have a session duration since I manage session token at the server side.
1 answers
solution1
0 2015-08-26 09:43:42
IMHO keeping session tokens in your server with a TTL (time to live, basically your token will be removed from your datastore if there isn't any activity for a certain period of time) would be best approach. Many datastore have mechanisms for implementing this and it removes session tokens automatically when TTL expires; I would suggest Redis for this case. Keeping the session security in the server side is required.
If you are providing API to different applications it would make sense to use the same mechanism. You may log into another application as long as the user is logged in to your system and already gave permission to another application through your system.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.