• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Invalidating user session on browser window close

 
Ranch Hand
Posts: 89
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi all,
I want to invalidate a HTTPSession when the client closes the browser window. Is it possible?
Any help is highly appreciated.
Thanks
 
Ranch Hand
Posts: 3695
IntelliJ IDE Java Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I initially thought "no, since the browser doesn't notify the server-side, there is no way to invalidate the session on browser close." But this didn't make sense when I thought of it. Log in to a site. Close all your browsers and then return. You'll be logged out. So it's possible someohow.


(for Tomcat) in conf/web.xml (or inside the individual application's WEB-INF/web.xml) there is a session configuration tag.

If you set the timeout to -1 that means "never" but I've seen some people say that it means "when the browser closes". So you might investigate if using -1 gives you the behaviour you want.
[ February 10, 2003: Message edited by: Mike Curwen ]
 
Ranch Hand
Posts: 130
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Maybe it must be zero '0'. In that case the session (a cookie on clientsize) will not be saved as a file, only in the cache of the browser, or something like that.
Yours,
Mark Monster
 
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I've got another opinion:
It's not possible.
The reason that it appears to work for tomcat is in my opinion: Tomcat sends a temporary cookie which is not permanently saved on the browser. It contains the jsessionid. When the browser is closed the temporary cookie is discarded. After restarting and reconnecting tomcat finds that the browser doesn't send a jsessionid and thus creates a new session for this client. This creates the effect that you're logged off after exiting the browser.
Yours,
Stefan
 
Ranch Hand
Posts: 39
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Stefan is exactly correct, the browser stores the session cookie in it's memory space and so if the browser is closed and a new one opened, the session cookie does not exist and hence a new one is created. This behaviour is not specific to tomcat. The thing to watch out for is that different browsers deal with the cookie differently (see here for more details).
You may be able to artifically create a notification when the browser closes using the javascript onUnload() command, but this isn't a great idea as many people disable that command due to is being used to create advertising popups.
 
M.K.A. Monster
Ranch Hand
Posts: 130
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Pete Harris:
You may be able to artifically create a notification when the browser closes using the javascript onUnload() command, but this isn't a great idea as many people disable that command due to is being used to create advertising popups.


Yes off-course and some people do turn off the power of their computer or disconnect from the internet. So this doesn't work for every case.
What about this:
Create a kind of cookie listener, which destroys sessions after inactivity of 5 minutes or something.
 
Ranch Hand
Posts: 260
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
you don't need a cookie listener, every time the user clicks another link inside your application the session's maxinactiveinterval can be updated to the new value.
in any case stefan is totally right.
 
Pete Harris
Ranch Hand
Posts: 39
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Asher Tarnopolski:
you don't need a cookie listener, every time the user clicks another link inside your application the session's maxinactiveinterval can be updated to the new value.
in any case stefan is totally right.


This type of session management is done automatically by the servlet container. All that is required is to set the sesion timeout time in the web.xml file under the session-timeout tag. If no request is received within the time specified, the session is automatically invalidated.
 
Anirban dutta
Ranch Hand
Posts: 89
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks all for your ideas. Pete, you are very right that the servlet container does this type of session management. But I want this for a different reason. I have a web application which doesen't allow two logins of the same user. it stores the userid in ServletContext and then for each login checks whether the user is in the ServletContext or not. This is destroyed at the time of logout(when the user presses the logoff button). Now if the user closes the window the session is not terminated, and the same user will not be able to login till session-timeout. I wanted to avoid this. Is this possible?
 
Pete Harris
Ranch Hand
Posts: 39
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I've come across this before in a webapp I was writing and there is no satisfactory answer. If it's running on an internal company intranet or something where the environment is controlled, then the onUnload javascript will work as you will know excactly which browers and versions will be running and can test them.
Otherwise your only option (and this is the one I took) is to have standard timeouts controlled by the container, but also have a warning on the login screen saying that if you already have a session active, re-logging in will destroy the old session.
 
Sheriff
Posts: 7001
6
Eclipse IDE Python C++ Debian Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Depending on the situation you can often make this approach a little smarter by storing something such as an IP address with the userid.
If the user tries to log on again from the same IP address before the session has expired, it's probably because they closed the browser. You should offer the choice of closing their old session and starting a new one.
if the user tries to log on again from a different IP address, then it is probably because the browser is still open on the old machine, and may mean that two people are using the same userid. In this case it's usually best to refuse the login with a message indicating that the user is already logged in elsewhere.
A much better solution, usually, is to build your application so that it doesn't care if the same user logs on twice. Makes testing much easier too!
 
Brace yourself while corporate america tries to sell us its things. Some day they will chill and use tiny ads.
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic