The session can be invalidated by the following ways:
1. calling invalidate() method 2. Allowing the server to time-out the session
Also, I wonder if we close the browser (the user was in session and a session id was maintained), and open a new browser with same URL (forget about username/password..it is a clean URL without authentication...like counter servlet):
1. Same session id would be maintained? or new session id would be created? 2. What happens if I append the URL with jsessionid=<session-id-number>?
Thanks a lot, Guru [ July 24, 2006: Message edited by: Bear Bibeault ]
Every server will maintained session for specific amount of time,...if you open the window once again before that time elapse,then definitely Same session id will be used...
Because when u sent Session ID in Header ...server will check whether it is a valid Session ID or not(Here Valid means whether it exist in server or not)....So , i think same session ID will be used
New session Id will be created only if 1.your session time-out occured 2.if you have not enabled cookie and not using sessionID in URL.... [ July 24, 2006: Message edited by: harish thrivile ]
Giving up is the easiest thing in the world to do..but holding it together when everything seems like falling apart is true strength!!
with regards, Harish.T
Joined: Feb 13, 2003
In my testcase, I have found the folloiwin on weblogic server
1. If you open new browser with URL alone, it creates a new session id. 2. If you refresh in the same browser, same session id is used 3. If you open a new broser with URL appended jsessionid, same session id is used.
Joined: Dec 01, 2005
1. If you open new browser with URL alone, it creates a new session id
yes...it is correct ...Because...if you are not sending sessionID then how will server recognize you...you have to send sessionID to server,here you told you are not sending it through URL(& if your cookie is disabled then server cannot identify you ),So,no sessionID to resognize the session, So it will create new SessionID thinking that you are asking for that resourse for the first time
2.If you refresh in the same browser, same session id is used
Here ,since you have already accessed the server , server have sent sessionId (may be appended to URL or store that in cookie...it depends whether u enabled\disabled cookie).....if it is written in URL then,when u press refresh button ,since you are having Session ID appended in URL..same session ID will be used(if time out has not elapsed)
3.If you open a new broser with URL appended jsessionid, same session id is used.
thats correct ..because server can identify you through Session id ,so no need to create another session id(ofcource if time out has not occured).... [ July 24, 2006: Message edited by: harish thrivile ]
Originally posted by Romi Dave: So how do you invalidate a session when the user closes the browser window? :roll:
The server (where servlets live) doesn't know if a user has closed the browser window. So, in this case, the session will just time out. If the user opens a new browser and makes a request to your app, it will start a new session.
(if you're using url re-writing and the user manually enters the URL or has had it bookmarked, it could be possible to re-join this session if they hit your app before the session has timed out but this is a fringe case).