[Seaside] How to configure session timeouts (age)

Philippe Marschall philippe.marschall at gmail.com
Mon Nov 28 13:26:07 UTC 2016

On Mon, Nov 28, 2016 at 8:13 AM, jtuchel at objektfabrik.de
<jtuchel at objektfabrik.de> wrote:
> Mariano,
> I would be interested in your experiences with 5 hours. We went for 40
> minutes in order to give the server a chance to free RAM. Since Seaside by
> default doesn't clean up sessions when they expire, but only when new ones
> are requested, I'd be worried about memory usage with such long session
> intervals...

That is no longer true with Seaside 3.2. With Seaside 3.2 we expire
sessions also when existing ones are accessed. We can do this because
we have O(1) access to the oldest session.

I addition you now can configure a maximum number of sessions and what
should happen when that limit is reached.

And all of this should be documented in class comments :-)

> Another question: what do maximumRelativeAge and maximumAbsoluteAge acrually
> do? Is this some way of tweaking the session cleanup policy?

A relative timeout is what OWASP used to call an idle timeout [1].

 [1] https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Automatic_Session_Expiration


More information about the seaside mailing list