Tutorial :Should there be a limit to concurrent number of sessions for a web application?



Question:

Should there be a limit to concurrent number of sessions for a web application?


Solution:1

No. Better to have your app be slow than to lock users out.


Solution:2

Do you mean on a per user basis or for the whole application?

Per user, the question depends on what the purpose of the web application is. If it's something like an online banking site, you could reasonable decide to only allow a single session per user for security. But if your app can already handle more than one session per user, it doesn't seem to make much sense to set an arbitrary limit.

On a per application basis, it doesn't really make much sense to set an arbitrary limit either unless you know it breaks down after a certain number of sessions for some reason.


Solution:3

No.

Your application can be shut down for everyone for your entire session timeout (say 20 minutes), by a simple bot starting max sessions.


Solution:4

Depends. Are you running in an environment where system resources are sufficiently scarce that you risk exhausting them by session use?


Solution:5

I assume you are talking about limiting same account for multiple sessions, otherwise ignore this :)

Depends, if it's high security application yes, this can avoid Session Hijacking issues (can be carried out many ways such XSS) as well as might help users to spot their account has been stolen and used by someone else.

In a normal web application which doesn't require high security, No. It's plain irritating.


Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »