Short version: How are sessions intended to be handled in a substantial web application?
Long version:
I’m new to web development, so I’m unfamiliar with some of the tools and terminology. I’ve been using Vaadin to prototype GUI applications and write little one-off demos at my office. I enjoy working in Vaadin, and I’d like to expand to using it for more applications of more substance and in production code. But every time I see that red “Session Expired” message pop up, I feel forced to re-think that idea.
Expiring sessions seems appropriate for applications that require a log-in to access sensitive information, but otherwise they are just an unpleasant experience for the end-user. I am troubled, though, because all the Vaadin demos I’ve seen include noisy session expiration alerts. For example, the
Vaadin Sampler is handy when I’m doing development and want to see a widget in action. But I leave the window open while I write some code and when I return I have to have to go through the disruption of refreshing the whole page and then navigating back to where I’d been.
What I want is for end-users to never be affected by session expiration. It would be acceptable if sessions expired and re-initialized transparently; for example, if a user could click a widget in an expired session window and have it re-initialize the application, restore their previous session state, and then register the widget-click.
Is this possible, or am I just misunderstanding what Vaadin is useful for?
I am aware of the
SmartSessions and
Session Guard add-ons, but I’m concerned that if I need an add-on for what seems like a fundamental capability then I’m probably misusing the tool. (But maybe I’m wrong and I should treat this as just a weird oversight in development?)
I’ve seen other posts on this forum that appear to mirror my confusion, so perhaps this is something that could be added to the documentation.
Sessions are inherent to all Java web applications - if not all web applications. You cannot not have a session, and you cannot have a session that doesn’t expire[1]
Given those limitations (which, to reiterate, are not Vaadin specific), you would have to customize what happens when a session expires. I imagine that you could do that yourself - but as both of the plugins you reference seem to be able to do exactly what you (transparently extend the session), I’d be inclined to use them.
With Best Wishes,
Charles
[1]
You could have a session time-out with a high value. Actually, to contradict myself, I’ve just seen a reference to setting -1 as a tomcat session-timeout value, meaning that it doesn’t expire. I’m fairly sure that this not this is a standard, though.
You should not have sessions that never expire - otherwise, you just keep expanding the storage for sessions indefinitely on the server and eventually might run out of memory or storage space. In practically all applications, you do want the sessions to expire if e.g. the browser has been closed and the user never comes back to the application.
Such add-ons as you mentioned are currently the way to go if you want to keep the session open for the time the user has the browser open and active, and a little beyond that. Alternatively, if there is e.g. polling with the Refresher add-on, that can also keep the session open as long as the application is open in the browser. In Vaadin 7, there will probably be improvements to support similar functionality in Vaadin itself.