File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Servlets and the fly likes Spring mvc-Destroy Session after closing the browser? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Spring mvc-Destroy Session after closing the browser?" Watch "Spring mvc-Destroy Session after closing the browser?" New topic

Spring mvc-Destroy Session after closing the browser?

selva raja
Ranch Hand

Joined: Nov 24, 2009
Posts: 69
Dear All,

In spring MVC application after a user has logged in , a session is started.The session is destroyed after user clicked :Log out button.
when the user forgets to logout and closes the browser immediately, the session still exists because when the user open the browser again and comes back to the site he/she is still logged in.

I want the session to be destroyed when the user closes the browser immediately.

Is there a way to destroy a session.?

Nathan Pruett

Joined: Oct 18, 2000
Posts: 4121

HTTP communication doesn't work this way. Simply set the session timeout to something sensible.

There are various attempts to do this through Javascript, Applets, or Flash - but these don't always work as the user may have an incompatible browser, Javascript turned off, or not have the appropriate plugin installed - so you have to fall back on setting the session timeout anyway.

This isn't specific to Spring, so moving to the Servlets forum.

Write once, run anywhere, because there's nowhere to hide! - /. A.C.
Bear Bibeault
Author and ninkuma

Joined: Jan 10, 2002
Posts: 63868

Please SearchFirst -- this issue has been addressed countless times and the conclusion is always the same: you cannot reliably do this. Just rely upon the session time-out as Nathan suggested.

[Asking smart questions] [About Bear] [Books by Bear]
Gaurav Sagar
Ranch Hand

Joined: Sep 08, 2010
Posts: 97

A session reference is stored at the client side in the form of cookie which in case of session is named "sessionid" and contains some numeric value. The cookies are always stored into the browser's temporary data storage.

Coming to the point, the default age of the session cookie is always "-1", which means that the cookie gets deleted, as soon as the browser instance is destroyed.
This simply means destroying the only reference to existing session. Henceforth, the previous session in not retrievable. So, if you are being able to retrieve a session even after the browser instance is destroyed(closed), then make sure that you have not tampered with the default value of the session cookie, by passing some positive integer value to the cookie.setMaxAge(int), which would mean that the cookie would persist at the client side for that number of seconds you passed as the int to the method.

If that is not the case, make sure that you are not using URL Rewriting in your web-application, which appends the session-id at the end of the url(usually done when cookie support isn't present). This means that if you are copying the link address(containing the session-id appended) and pasting in your browser's address bar, the session could always be retrieved if it hasn't timed out.

Finally, one should always use session time-out feature in the deployment descriptor, this saves resources and reduces load onto the web server besides being customizable.

SCJP 1.6(91%), SCWCD 1.5(100%), SCBCD in progress
Ravi Kiran Va
Ranch Hand

Joined: Apr 18, 2009
Posts: 2234

Hi , this is the code i ahve found it that works fine under IE 6 , dont know aboout other versions and other browsers

Save India From Corruption - Anna Hazare.
selva raja
Ranch Hand

Joined: Nov 24, 2009
Posts: 69

Is it possible to implement in banking web site?

I agree. Here's the link:
subject: Spring mvc-Destroy Session after closing the browser?
It's not a secret anymore!