Does a long idle session timeout setting impact application performance if a large number of users remain idle, and could this cause performance issues on self-managed HNAS servers ? Will it affect the garbage collectors?
Discussion posts and replies are publicly visible
Idle users should not have much impact on performance aside from perhaps their session taking up some memory.
Hello Mathieu ,
It's a self managed system in red hat ,we see issues such as node disconnection , node overload when the large number of users using the application ,do you see any relevance to these issues
udhay kumar said:large number of users using the application
That's a whole different thing than idle sessions ...
You will have to find out whether your performance issues are related to user interactions, mostly hitting tomcat, vs. process related which mostly hits the execution engines. And of course, there are a few other things that have impact on performance.
A thorough diagnosis is the first things you need to do.
Hello Stefan ,
Currently we have this default 65 minutes , will it give any advantage in perfromance if we reduce it . in any way??
Shouldn't make much difference IMO. Reducing session length is usually for security not performance purposes.
https://auth0.com/blog/balance-user-experience-and-security-to-retain-customers/
OWASP recommends application builders to implement short idle time outs (2-5 minutes) for applications that handle high-risk data, like financial information. It considers that longer idle time outs (15-30 minutes) are acceptable for low-risk applications. On the other hand, NIST recommends that application builders make their users re-authenticate every 12 hours and terminate sessions after 30 minutes of inactivity. For intermittent re-authentication, that session termination time shrinks to 2 minutes.
OWASP recommends application builders to implement short idle time outs (2-5 minutes) for applications that handle high-risk data, like financial information. It considers that longer idle time outs (15-30 minutes) are acceptable for low-risk applications.
On the other hand, NIST recommends that application builders make their users re-authenticate every 12 hours and terminate sessions after 30 minutes of inactivity. For intermittent re-authentication, that session termination time shrinks to 2 minutes.
Thanks Mathieu