In spring MVC application after a user has logged in , a session is started.The session is destroyed after user clicked :Log out button.
when the user forgets to logout and closes the browser immediately, the session still exists because when the user open the browser again and comes back to the site he/she is still logged in.
I want the session to be destroyed when the user closes the browser immediately.
HTTP communication doesn't work this way. Simply set the session timeout to something sensible.
This isn't specific to Spring, so moving to the Servlets forum.
Write once, run anywhere, because there's nowhere to hide! - /. A.C.
A session reference is stored at the client side in the form of cookie which in case of session is named "sessionid" and contains some numeric value. The cookies are always stored into the browser's temporary data storage.
Coming to the point, the default age of the session cookie is always "-1", which means that the cookie gets deleted, as soon as the browser instance is destroyed.
This simply means destroying the only reference to existing session. Henceforth, the previous session in not retrievable. So, if you are being able to retrieve a session even after the browser instance is destroyed(closed), then make sure that you have not tampered with the default value of the session cookie, by passing some positive integer value to the cookie.setMaxAge(int), which would mean that the cookie would persist at the client side for that number of seconds you passed as the int to the method.
If that is not the case, make sure that you are not using URL Rewriting in your web-application, which appends the session-id at the end of the url(usually done when cookie support isn't present). This means that if you are copying the link address(containing the session-id appended) and pasting in your browser's address bar, the session could always be retrieved if it hasn't timed out.
Finally, one should always use session time-out feature in the deployment descriptor, this saves resources and reduces load onto the web server besides being customizable.