aspose file tools*
The moose likes Servlets and the fly likes Session Invalidate -- Many ways Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Session Invalidate -- Many ways" Watch "Session Invalidate -- Many ways" New topic
Author

Session Invalidate -- Many ways

Gurumurthy Ramamurthy
Ranch Hand

Joined: Feb 13, 2003
Posts: 272
Guys:

The session can be invalidated by the following ways:

1. calling invalidate() method
2. Allowing the server to time-out the session

Also, I wonder if we close the browser (the user was in session and a session id was maintained), and open a new browser with same URL (forget about username/password..it is a clean URL without authentication...like counter servlet):

1. Same session id would be maintained? or
new session id would be created?
2. What happens if I append the URL with jsessionid=<session-id-number>?

Thanks a lot,
Guru
[ July 24, 2006: Message edited by: Bear Bibeault ]
Harish Tiruvile
Ranch Hand

Joined: Dec 01, 2005
Posts: 99
Hi , Gurumurthy Ramamurthy

Every server will maintained session for specific amount of time,...if you open the window once again before that time elapse,then definitely Same session id will be used...

Because when u sent Session ID in Header ...server will check whether it is a valid Session ID or not(Here Valid means whether it exist in server or not)....So , i think same session ID will be used



New session Id will be created only if
1.your session time-out occured
2.if you have not enabled cookie and not using sessionID in URL....
[ July 24, 2006: Message edited by: harish thrivile ]

Giving up is the easiest thing in the world to do..but holding it together when everything seems like falling apart is true strength!!
with regards, Harish.T
Gurumurthy Ramamurthy
Ranch Hand

Joined: Feb 13, 2003
Posts: 272
No.

In my testcase, I have found the folloiwin on weblogic server

1. If you open new browser with URL alone, it creates a new session id.
2. If you refresh in the same browser, same session id is used
3. If you open a new broser with URL appended jsessionid, same session id is used.

Thanks,
Guru
Harish Tiruvile
Ranch Hand

Joined: Dec 01, 2005
Posts: 99
1. If you open new browser with URL alone, it creates a new session id

yes...it is correct ...Because...if you are not sending sessionID then how will server recognize you...you have to send sessionID to server,here you told you are not sending it through URL(& if your cookie is disabled then server cannot identify you ),So,no sessionID to resognize the session, So it will create new SessionID thinking that you are asking for that resourse for the first time


2.If you refresh in the same browser, same session id is used

Here ,since you have already accessed the server , server have sent sessionId (may be appended to URL or store that in cookie...it depends whether u enabled\disabled cookie).....if it is written in URL then,when u press refresh button ,since you are having Session ID appended in URL..same session ID will be used(if time out has not elapsed)

3.If you open a new broser with URL appended jsessionid, same session id is used.

thats correct ..because server can identify you through Session id ,so no need to create another session id(ofcource if time out has not occured)....
[ July 24, 2006: Message edited by: harish thrivile ]
Pavan Kashyap
Greenhorn

Joined: Jul 18, 2006
Posts: 8
Hi all,
I agree to all the points mentioned above.
The same session can be maintained no matter u close the browzer,or refresh or you give session-id...but before the time elapses...
Romi Dave
Greenhorn

Joined: Jul 19, 2006
Posts: 26
So how do you invalidate a session when the user closes the browser window? :roll:

Thanks,
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

Originally posted by Romi Dave:
So how do you invalidate a session when the user closes the browser window? :roll:

Thanks,


The server (where servlets live) doesn't know if a user has closed the browser window. So, in this case, the session will just time out.
If the user opens a new browser and makes a request to your app, it will start a new session.

(if you're using url re-writing and the user manually enters the URL or has had it bookmarked, it could be possible to re-join this session if they hit your app before the session has timed out but this is a fringe case).


Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
Romi Dave
Greenhorn

Joined: Jul 19, 2006
Posts: 26
So is there a way by which we can invalidate a session when the browser window is closed and not let it just time out? This issue has been troubling me for few days now...

Thanks,
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

no
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Session Invalidate -- Many ways
 
Similar Threads
what is session ?
Chapter 6(Session Management) notes (HFSJ) for revision
Session Filter problem
Different sessions on different firefox tabs ?
How to block multiple logins of the same user