0

I have been testing a web application with Spring MVC, and I'm currently developing a editor page for accounts. This JSP page is able to edit one or more accounts, serving for different purposes. For example, a common user can edit account data on this page. On the other hand, administrator users can edit multiple accounts on this page. In terms of logic (for me), the edition of multiple accounts to an administrator user works like this:

  1. The user selects a list of accounts.
  2. The list reaches the controller.
  3. The controller stores the list of accounts.
  4. The controller directs the user to the edit page.
  5. The user fills out the editing form.
  6. The form is sent to the controller.
  7. The controller retrieves the list of accounts previously saved.
  8. Editing form data is reflected in the list of records.
  9. The list is deleted from storage.

My problem appears when the user does not perform step 5, and decides to do something else. Without the removal of the list from storage, the server will suffer from memory leak. It would be very important to detect the user's exit, which would cause the system to remove the list automatically.

I'm choosing to save the list of accounts to be edited on the server side to prevent it from being saved on the user side, where the user could well tamper the data.

I might as well use JavaScript to detect when a user leaves a page, but he/she may well turn off Javascript, which results in the same problem. Therefore, this is an impractical solution.

I have not yet developed the implementation of it, so I'm just projecting right now. Can anyone help me with this? Am I doing something wrong? Is there an error in my logic, or am I leaving something of use?

OBS: I'm using Tomcat 8.0, and Spring MVC 4.1.1, with the Java JDK 8.

Loa
  • 2,117
  • 3
  • 21
  • 45
  • Don't be concerned with it, the garbage collector will eventually handle it for you. – Jorge Campos Feb 13 '15 at 22:50
  • Where is your data persisted, and how much data would a user normally select? Storing large amounts of data in a session is not recommended - you should only store only the list of identifiers in session, and fetch / persist one account at a time, as it is being edited. – Nick Vasic Feb 14 '15 at 00:08

1 Answers1

2

That's the whole purpose of session management. Your web server does it for you. When you use Java EE or any other session technology, the server is supposed to deal with timeouts, cleaning the session objects. This happens based on user idle time. How does the server know users are idle? Because for every request sent by the browser, his session id is sent in a cookie.

Usually, the timeout threshold is a changeable period of time (usually defined at web.xml). This value may need to be tuned, based on the available network/memory resources and expected simultaneous users.

In fact, sessions+cookies are the only flexible and secure way to deal with the stateless nature of HTTP.

There are variations of this, namely, conversation or view scopes, where the user may have a session per tab. But the principle is the same: put stuff in session and get them later by session id (a cookie at client side).

Finally, you should not rely on the browser to do server stuff. This would not be reliable.

Luís Soares
  • 5,726
  • 4
  • 39
  • 66
  • Hi Luís Soares. Thanks for answering. Could you confirm me where the data from user sessions get stored? Are they stored on the server side or client side? Admittedly, the client remains with a cookie that identifies itself to the server, but what about the data? I've been looking for this since you answered me. Confirm this with one or two trusted sources and I will consider your answer as correct. Also, If I find it, I will consider it as well. Either way, thank you in advance. – Loa Feb 13 '15 at 23:31
  • Well.. Those sessions are stored in server side RAM, in principle. This is true for Java, php, .net, etc.. Would you like a conceptual response or a response based on a specific tech? Because I'm not sure if your doubt is conceptual or technical. – Luís Soares Feb 13 '15 at 23:36
  • I apologize if maybe I'm being picky, but unfortunately I need to confirm this. I imagined that the session data were stored in memory when you answered me. Before your answer, for me, the session data were stored on the user side. As I'm using Servlets and Tomcat, is there a document that says/states in what location (server / client, memory / file) sessions are stored? That's what I'm looking for since you answered me. – Loa Feb 13 '15 at 23:44
  • Sure you can be picky. I just had to give a general response to understand your doubt. In Java EE, web servers have to adhere to a standard. So, the web server does not matter much. Servlets are used regardless of the library (spring or other). I'll search the document then :) – Luís Soares Feb 14 '15 at 00:02
  • Btw, tomcat does not implement Java EE (tomee does). It only provides Java web, which does not mean you don't have sessions. – Luís Soares Feb 14 '15 at 00:03
  • I appreciate your attention, thank you. I found some Tomcat documents, and nothing yet. I'm looking and guiding myself by OWASP. So far I have not found anything yet. ':/ – Loa Feb 14 '15 at 00:06
  • Nice reading: http://stackoverflow.com/questions/3106452/how-do-servlets-work-instantiation-session-variables-and-multithreading – Luís Soares Feb 14 '15 at 00:15
  • I really needed that! I think I love you now! hahahaha! Thank U! :D – Loa Feb 14 '15 at 00:29