This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes Servlets and the fly likes Invalidating user session on browser window close Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Invalidating user session on browser window close" Watch "Invalidating user session on browser window close" New topic
Author

Invalidating user session on browser window close

Anirban dutta
Ranch Hand

Joined: Aug 08, 2002
Posts: 89
Hi all,
I want to invalidate a HTTPSession when the client closes the browser window. Is it possible?
Any help is highly appreciated.
Thanks
Mike Curwen
Ranch Hand

Joined: Feb 20, 2001
Posts: 3695

I initially thought "no, since the browser doesn't notify the server-side, there is no way to invalidate the session on browser close." But this didn't make sense when I thought of it. Log in to a site. Close all your browsers and then return. You'll be logged out. So it's possible someohow.


(for Tomcat) in conf/web.xml (or inside the individual application's WEB-INF/web.xml) there is a session configuration tag.

If you set the timeout to -1 that means "never" but I've seen some people say that it means "when the browser closes". So you might investigate if using -1 gives you the behaviour you want.
[ February 10, 2003: Message edited by: Mike Curwen ]
M.K.A. Monster
Ranch Hand

Joined: May 02, 2002
Posts: 130
Maybe it must be zero '0'. In that case the session (a cookie on clientsize) will not be saved as a file, only in the cache of the browser, or something like that.
Yours,
Mark Monster
Stefan Krause
Greenhorn

Joined: Oct 02, 2002
Posts: 7
I've got another opinion:
It's not possible.
The reason that it appears to work for tomcat is in my opinion: Tomcat sends a temporary cookie which is not permanently saved on the browser. It contains the jsessionid. When the browser is closed the temporary cookie is discarded. After restarting and reconnecting tomcat finds that the browser doesn't send a jsessionid and thus creates a new session for this client. This creates the effect that you're logged off after exiting the browser.
Yours,
Stefan
Pete Harris
Ranch Hand

Joined: Feb 05, 2003
Posts: 39
Stefan is exactly correct, the browser stores the session cookie in it's memory space and so if the browser is closed and a new one opened, the session cookie does not exist and hence a new one is created. This behaviour is not specific to tomcat. The thing to watch out for is that different browsers deal with the cookie differently (see here for more details).
You may be able to artifically create a notification when the browser closes using the javascript onUnload() command, but this isn't a great idea as many people disable that command due to is being used to create advertising popups.
M.K.A. Monster
Ranch Hand

Joined: May 02, 2002
Posts: 130
Originally posted by Pete Harris:
You may be able to artifically create a notification when the browser closes using the javascript onUnload() command, but this isn't a great idea as many people disable that command due to is being used to create advertising popups.

Yes off-course and some people do turn off the power of their computer or disconnect from the internet. So this doesn't work for every case.
What about this:
Create a kind of cookie listener, which destroys sessions after inactivity of 5 minutes or something.
Asher Tarnopolski
Ranch Hand

Joined: Jul 28, 2001
Posts: 260
you don't need a cookie listener, every time the user clicks another link inside your application the session's maxinactiveinterval can be updated to the new value.
in any case stefan is totally right.


Asher Tarnopolski
SCJP,SCWCD
Pete Harris
Ranch Hand

Joined: Feb 05, 2003
Posts: 39
Originally posted by Asher Tarnopolski:
you don't need a cookie listener, every time the user clicks another link inside your application the session's maxinactiveinterval can be updated to the new value.
in any case stefan is totally right.

This type of session management is done automatically by the servlet container. All that is required is to set the sesion timeout time in the web.xml file under the session-timeout tag. If no request is received within the time specified, the session is automatically invalidated.
Anirban dutta
Ranch Hand

Joined: Aug 08, 2002
Posts: 89
Thanks all for your ideas. Pete, you are very right that the servlet container does this type of session management. But I want this for a different reason. I have a web application which doesen't allow two logins of the same user. it stores the userid in ServletContext and then for each login checks whether the user is in the ServletContext or not. This is destroyed at the time of logout(when the user presses the logoff button). Now if the user closes the window the session is not terminated, and the same user will not be able to login till session-timeout. I wanted to avoid this. Is this possible?
Pete Harris
Ranch Hand

Joined: Feb 05, 2003
Posts: 39
I've come across this before in a webapp I was writing and there is no satisfactory answer. If it's running on an internal company intranet or something where the environment is controlled, then the onUnload javascript will work as you will know excactly which browers and versions will be running and can test them.
Otherwise your only option (and this is the one I took) is to have standard timeouts controlled by the container, but also have a warning on the login screen saying that if you already have a session active, re-logging in will destroy the old session.
Frank Carver
Sheriff

Joined: Jan 07, 1999
Posts: 6920
Depending on the situation you can often make this approach a little smarter by storing something such as an IP address with the userid.
If the user tries to log on again from the same IP address before the session has expired, it's probably because they closed the browser. You should offer the choice of closing their old session and starting a new one.
if the user tries to log on again from a different IP address, then it is probably because the browser is still open on the old machine, and may mean that two people are using the same userid. In this case it's usually best to refuse the login with a message indicating that the user is already logged in elsewhere.
A much better solution, usually, is to build your application so that it doesn't care if the same user logs on twice. Makes testing much easier too!


Read about me at frankcarver.me ~ Raspberry Alpha Omega ~ Frank's Punchbarrel Blog
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Invalidating user session on browser window close
 
Similar Threads
In javascript, window.XMLHttpRequest: what this statement says?
Lauching browser
How to drag(Move) a HTML window using window object or document object?
popup window moving
Opening a popup on another machine