Thanks for the reply Wolfram. We're a gaming site, and users really hate having to login each time they come to the site. Also, although we can cookie users to track their activities even when they are not logged in, we can't give them as robust of an experience as when they are. All in all, non-expiring sessions have been beneficial according to other similar companies that we've talked to. So, the question became, how to do it....
We'd thought about the unique key idea, which does make a lot of sense in that it would limit a potential I/O or memory bottleneck... but the issue, then, becomes how to log a user in when they return with a key. So, we can look up their login credentials (no problem), or even compare them ourselves, but I've had a difficult time finding any way to programmatically log a user in to the container managed security realm. I've tried using the ProgrammaticLogin class, but had no success getting the container to recognize the user is logged in (even though the method login returned true). I've found better documentation now (
https://glassfish.dev.java.net/javaee5/api/com/sun/appserv/security/ProgrammaticLogin.html) than I had seen when previously searching, so I'll give it another shot.
Alternatively, it seems like a custom session manager persistence type could work as well. Perhaps one that stores the sessions locally using a SQL Lite db. Thoughts?
[Message sent by forum member 'rwillie6' (rwillie6)]
http://forums.java.net/jive/thread.jspa?messageID=341295