This week's book giveaway is in the General Computing forum. We're giving away four copies of Arduino in Action and have Martin Evans, Joshua Noble, and Jordan Hochenbaum on-line! See this thread for details.
I initially thought "no, since the browser doesn't notify the server-side, there is no way to invalidate the session on browser close." But this didn't make sense when I thought of it. Log in to a site. Close all your browsers and then return. You'll be logged out. So it's possible someohow.
(for Tomcat) in conf/web.xml (or inside the individual application's WEB-INF/web.xml) there is a session configuration tag.
If you set the timeout to -1 that means "never" but I've seen some people say that it means "when the browser closes". So you might investigate if using -1 gives you the behaviour you want. [ February 10, 2003: Message edited by: Mike Curwen ]
I've got another opinion: It's not possible. The reason that it appears to work for tomcat is in my opinion: Tomcat sends a temporary cookie which is not permanently saved on the browser. It contains the jsessionid. When the browser is closed the temporary cookie is discarded. After restarting and reconnecting tomcat finds that the browser doesn't send a jsessionid and thus creates a new session for this client. This creates the effect that you're logged off after exiting the browser. Yours, Stefan
Joined: May 02, 2002
Yes off-course and some people do turn off the power of their computer or disconnect from the internet. So this doesn't work for every case. What about this: Create a kind of cookie listener, which destroys sessions after inactivity of 5 minutes or something.
you don't need a cookie listener, every time the user clicks another link inside your application the session's maxinactiveinterval can be updated to the new value. in any case stefan is totally right.
Joined: Feb 05, 2003
Originally posted by Asher Tarnopolski: you don't need a cookie listener, every time the user clicks another link inside your application the session's maxinactiveinterval can be updated to the new value. in any case stefan is totally right.
This type of session management is done automatically by the servlet container. All that is required is to set the sesion timeout time in the web.xml file under the session-timeout tag. If no request is received within the time specified, the session is automatically invalidated.
Joined: Aug 08, 2002
Thanks all for your ideas. Pete, you are very right that the servlet container does this type of session management. But I want this for a different reason. I have a web application which doesen't allow two logins of the same user. it stores the userid in ServletContext and then for each login checks whether the user is in the ServletContext or not. This is destroyed at the time of logout(when the user presses the logoff button). Now if the user closes the window the session is not terminated, and the same user will not be able to login till session-timeout. I wanted to avoid this. Is this possible?
Joined: Feb 05, 2003
Depending on the situation you can often make this approach a little smarter by storing something such as an IP address with the userid. If the user tries to log on again from the same IP address before the session has expired, it's probably because they closed the browser. You should offer the choice of closing their old session and starting a new one. if the user tries to log on again from a different IP address, then it is probably because the browser is still open on the old machine, and may mean that two people are using the same userid. In this case it's usually best to refuse the login with a message indicating that the user is already logged in elsewhere. A much better solution, usually, is to build your application so that it doesn't care if the same user logs on twice. Makes testing much easier too!