This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes Servlets and the fly likes update database when session got invalidated Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "update database when session got invalidated" Watch "update database when session got invalidated" New topic
Author

update database when session got invalidated

Lokendra Shekhawat
Ranch Hand

Joined: Jun 08, 2009
Posts: 40
Hi friends, I am new to this site. this is my first post.
i have a question. i am working on my college project and i got problem.

so here is the senerio: i created a table 'users' which contain some columns. including security_check, its default value is logged_out.

so here is my question. whenever a user login i set this column value for that particular user to logged_in, so that the same login details can't be used twice. and i set it back to its default value which is logged_out.


Now here is the problem when a user log in and closes his browser, then still the column value for security_check is logged_in.

i want to know how can i set Security_check column value to default when user closes its browser.

for more information: i am using session to validate user is every page.
Please reply.

SCJP5 93%. SCWCD 98%.

Visit my website http://www.rajasthan4tourism.com for information about rajasthan tourist places and much more.....!!!
Brett Maclean
Greenhorn

Joined: May 01, 2009
Posts: 22
There are a couple of options you could think about. The first might be to use client side code (i.e. Javascript) to catch those types of events and then trigger the appropriate database update. The issue with that may be making sure in the client code you can identify which user has logged out.

The better option might be to use an HTTPSessionListener (see javax.servlet.http.HttpSessionListener) that will update your database table when a session is destroyed. If you are using the HttpSession to determine authorisation etc. then this might be the better choice.

HTH



http://www.ontruenorth.com
Follow us on Twitter: http://twitter.com/truenorth_buzz
Jan Cumps
Bartender

Joined: Dec 20, 2006
Posts: 2491
    
    8

What some applications (say: SAP) do, is,

when you log on, and it seems that you still have a log on active,
it allows you to choose:

a - stop this new log on : the new session closes.

b - stop the old log on, and allow the new session:
From that moment on, if the old session would still exist, the system would reject all activity in the old session, and only requests of the new session would be handled.


OCUP UML fundamental and ITIL foundation
youtube channel
Lokendra Shekhawat
Ranch Hand

Joined: Jun 08, 2009
Posts: 40
I already tried HttpSessionListener and written the code in its session destroy method to update the database table. but its not working.

i will give the code of HttpSessionListener class. after sometime.
Jeanne Boyarsky
internet detective
Marshal

Joined: May 26, 2003
Posts: 30136
    
150

Lokendra Shekhawat wrote: but its not working.

You'll want to elaborate on what "not working" means. It's supposed to work so the exception or details would help figure out why.


[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
Shailesh Narkhede
Ranch Hand

Joined: Jul 10, 2008
Posts: 368
Hi Lokendra,
welcome to javaranch.

you are logging out by,
1) Using some link or button or
2)By simply you are saying you close browswer window?

because when you close browser window HttpSessionListener methods not getting called.


Thanks,
Shailesh
Lokendra Shekhawat
Ranch Hand

Joined: Jun 08, 2009
Posts: 40
Sorry for late.
here is the senerio:
i am using database to store user details including username and password.(also Security_check column which have "logged_out" as default).
whenever a user log in i modify the security_check value to "logged_in" from the page where i validate user(servlet). and whenever user hits logout button i explicitly change security_check value to its default value.
until now everything is fine.
but,
when user closes his browser without logging out, then there is a big problem because the security_check column value for that user is still "logged_in" and after that when that user tires to log-in he will get error message that you are already logged in( because i checked for security_check variable before allowing any user to log-in, and in his case he is already logged in. so he can't log-in. and also he can't log-out because the session got expired when he closes the browser. so what should i do???


below is the code i user for HttpSessionListener class: (which is not working):

==============//=================//=======================//==============

package com.svc.session;

import javax.servlet.http.HttpSessionEvent;
import javax.servlet.http.HttpSessionListener;
import java.sql.*;
import javax.servlet.http.HttpSession;


public class Session_Invalidator implements HttpSessionListener
{
public Session_Invalidator()
{
try
{
Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
}
catch(Exception e){}
}

public void sessionCreated(HttpSessionEvent se)
{

}

public void sessionDestroyed(HttpSessionEvent se)
{
HttpSession session = se.getSession();
String uName = session.getAttribute("userName").toString().trim();

Connection con = null;
PreparedStatement stmt = null;

try
{
con = DriverManager.getConnection("jdbc: odbc:CMS","",""); // i am using space between colon and odbc bec if i don't it will be converted to smile, so ignore the space
stmt = con.prepareStatement("update Users set security_check=default where login_name=?");
stmt.setString(1, uName);
int no = stmt.executeUpdate();
}
catch(Exception e){}

}

}


==========//=====================//========================//==================


Any suggestions. Please!
Brett Maclean
Greenhorn

Joined: May 01, 2009
Posts: 22
Hi Lokendra,

You've also specified your SessionListener in the web.xml right - i.e. ?


<web-app>
<listener>
<listener-class>com.svc.session.Session_Invalidator</listener-class>
</listener>
</web-app>


When you say it isn't working, is it throwing an exception or does it not appear as if it's being called.

One last point ... it's always good practice to close JDBC resources in a finally statement.
Lokendra Shekhawat
Ranch Hand

Joined: Jun 08, 2009
Posts: 40
No i haven't specified it in the web.xml file. now i will do it write now and reply.
about the second question. no exception nothing whenever user tries to log-in(when he closed his browser without logging out) he won't be able to log in bec Security_check column value is still logged_in.
Vishwanath Krishnamurthi
Ranch Hand

Joined: Jun 04, 2007
Posts: 331

because when you close browser window HttpSessionListener methods not getting called.


You mean to say HttpSessionListener methods wont get called when you close the browser?

No, if you close all the browser instances, (and you dont have cookies with a max age set) the session would get invalidated and the listener method sessionDestroyed() would get called.


Blog
Lokendra Shekhawat
Ranch Hand

Joined: Jun 08, 2009
Posts: 40
i am back with the answer:

i added that entry in web.xml file.
and i logged in with one user and waited till session gets timeout. in this condition HttpSessionListener is working, that is, its setting the Security_check value to its default but when i directly close the browser and again open the browser and retry logging the same user, then i am not able to because that security_check value is still "logged_in" it means when i close the browser the session is getting invalidated but the HttpSessionListener class is not running when i am closing the browser.

please help tel me what to do in this condition.
Lokendra Shekhawat
Ranch Hand

Joined: Jun 08, 2009
Posts: 40
please reply!!!
Jan Cumps
Bartender

Joined: Dec 20, 2006
Posts: 2491
    
    8

Lokendra Shekhawat wrote:please reply!!!
Hi, Lokendra. We 're all volunteers. And it was night time.
I am convinced that once someone knows how to help you, you will get a reply.
Regards, Jan
Brett Maclean
Greenhorn

Joined: May 01, 2009
Posts: 22
In this case I think you will need to go back to the first option, of using Javascript to capture the close event and then either an AJAX request or a form submission to a servlet which will call your database state update code. I'm no Javascript expert but there is a suggested solution on Java Junction. Just as full disclosure, I haven't used this.

The other option, is the one that Jan suggested earlier.


What some applications (say: SAP) do, is,

when you log on, and it seems that you still have a log on active,
it allows you to choose:

a - stop this new log on : the new session closes.

b - stop the old log on, and allow the new session:
From that moment on, if the old session would still exist, the system would reject all activity in the old session, and only requests of the new session would be handled


Personally, I think this is preferable but maybe that's just my fear of Javascript talking :-)

Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60804
    
  65

There is no "close event" in JavaScript.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Brett Maclean
Greenhorn

Joined: May 01, 2009
Posts: 22
Ok, well the code below called the Javascript (to say hello) when I closed my browser window (I am using Chrome). This snippet is just an altered version of the code at the link I posted above.



My "close event" is the onbeforeunload event ... as I said above, JS isn't my strong suit but this certainly seemed to work. Now just replace alert('hello'); with a script that will call your server-side code. Best left as an exercise for the reader :-)
Praveen Sridharan
Greenhorn

Joined: Dec 12, 2006
Posts: 2
Hi Brett,
I am also struck up with the same issue. But my worry is, at the time of unload event, suppose you consider there is a network problem, so that the client cannot communicate with the server. Suppose the session time out is 5 minutes and if the same user tries to login to the web application after 2 mins (After network recovery ) He/she may not be able to login for other 3 minutes. Moreover, session timeout is not properly happening after 5 mins. Its taking nearly 6 mins in some cases. If some body has any solutions please let me know.

Thanks and Regards,
Praveen.


"Laugh and the world laughs with you."
 
jQuery in Action, 2nd edition
 
subject: update database when session got invalidated
 
Similar Threads
how to make logout page?
Session Management problem
Problem with session
HttpSession issue with Popups
How to set Security_check in second level?