*
The moose likes JSP and the fly likes Killing session when closing the browser Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » JSP
Bookmark "Killing session when closing the browser" Watch "Killing session when closing the browser" New topic
Author

Killing session when closing the browser

preethi Ayyappan
Ranch Hand

Joined: Oct 04, 2007
Posts: 518
Hi,

I am trying to kill the session when closing the browser without logging out properly. But i am unable to kill the session. I am posting the code

index.jsp:



UsingSession.java:



Logout.java


Please assist me to do this.

Thanks

Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41129
    
  45
While you didn't say what's happening and what is or is not working, I'm curious what the reason for wanting to invalidate the session is. It happens automatically after whatever period is set in the web app anyway; is there a need to accelerate that process?


Ping & DNS - my free Android networking tools app
preethi Ayyappan
Ranch Hand

Joined: Oct 04, 2007
Posts: 518
Thanks for your reply. If the user closes the browser without logging out properly, Their session has not been killed and if they try to login again they are not able to login to the form. We need to restart the tomcat again. To overcome this I am trying to accelarate the session kill function to kill the session which logs out properly. Am i doing wrong? Is there any other way to solve this?
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60785
    
  65

Let the session timeout do its thing.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41129
    
  45
If you need to restart Tomcat then you're definitely doing something wrong.

If a session already exists, then the user should not need to log in again. The web app should not even show the login page to anyone who is logged in already.
Sudhakar Sharma
Ranch Hand

Joined: Apr 04, 2009
Posts: 71

Ulf Dittmer wrote:If you need to restart Tomcat then you're definitely doing something wrong.

If a session already exists, then the user should not need to log in again. The web app should not even show the login page to anyone who is logged in already.


Ulf Dittmer told you right and the way how it should work.
But if you really want to kill the session whenever, user closes his browser, you need to go through javascript, because server has no idea of this event.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60785
    
  65

Sudhakar Sharma wrote:But if you really want to kill the session whenever, user closes his browser, you need to go through javascript, because server has no idea of this event.

Neither does JavaScript.
Jessid Leon Velez Gutierrez
Ranch Hand

Joined: Jan 19, 2011
Posts: 35
Hello. I understand that there are better ways to solve what you are trying to do. Nevertheless here is a very simple idea (Please, if I am wrong, someone correct me):

in the login jsp you could use a little code like this to kill your session. If you do it, you assure that the user is not in session when the browser is closed, but when the user is trying to re-login:

<% request.getSession().invalidate(); %>
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60785
    
  65

Scriptlets in 2011?

In any case, visiting a login page is not the same a closing the browser.
Sudhakar Sharma
Ranch Hand

Joined: Apr 04, 2009
Posts: 71

Bear Bibeault wrote:
Sudhakar Sharma wrote:But if you really want to kill the session whenever, user closes his browser, you need to go through javascript, because server has no idea of this event.

Neither does JavaScript.


Can't we use javascript to send another request, when browser is closed, to a servlet that is responsible for invalidating the session.
or
the code inside javascript


then how we invalidate the session immediately after the user closes his browser? Please help
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12761
    
    5
Won't work because the user may be looking at a completely different tab when he closes the browser.

Face Facts - there is no certain way of detecting that the user just closed the browser.

Therefore - you will have to depend on the built in mechanisms to time-out the session.

Bill
Tuna Töre
Ranch Hand

Joined: Aug 17, 2008
Posts: 219

Bear Bibeault wrote:Scriptlets in 2011?

In any case, visiting a login page is not the same a closing the browser.


Which Java Technology you offer other than Scriptles in 2011 ???


blog: http://tunatore.wordpress.com
SCJP 6.0 + SCWCD 1.5
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60785
    
  65

Tuna Töre wrote:
Bear Bibeault wrote:Scriptlets in 2011?
Which Java Technology you offer other than Scriptles in 2011 ???


The JSTL and EL where introduced with JSP 2.0 in 2002! That's almost 10 years ago.

Scriptlets in JSP have been discredited since then -- long since time to move on!
Tuna Töre
Ranch Hand

Joined: Aug 17, 2008
Posts: 219

preethi Ayyappan wrote:Thanks for your reply. If the user closes the browser without logging out properly, Their session has not been killed and if they try to login again they are not able to login to the form. We need to restart the tomcat again. To overcome this I am trying to accelarate the session kill function to kill the session which logs out properly. Am i doing wrong? Is there any other way to solve this?


You should get the session in every jsp pages in the correct way and after getting session correctly, system app. users can use the system without having problem and dont need to login for the second time to server. Moreover you dont neet to restart the Tomcat App. Serv.

There is an example jsp code to get the user session;



As far as I know, there is no way to call a Servlet Method by detecting browser close event. Forexample; in many Banking applications you should see a button to close the Session in a secure way. The user should click this button to close the session or the session times-out by server.

Paul Sturrock
Bartender

Joined: Apr 14, 2004
Posts: 10336


As far as I know, there is no way to call a Servlet Method by detecting browser close event. Forexample; in many Banking applications you should see a button to close the Session in a secure way. The user should click this button to close the session or the session times-out by server.


There is a way to do it - you hook into the window.onunload event. However, saying something can be done and something should be done are different things. This will only work if the browser is closed normally. So if the process is killed, the browser crashes, the browser has JavaScript disabled or the plug is pulled from the client machine no request will be sent. So relying 100% on this method to invalidate the session is foolish.


JavaRanch FAQ HowToAskQuestionsOnJavaRanch
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60785
    
  65

Moreover, the onunload handler is called whenever a page is unloaded. So there is no way to tell the difference between the browser being closed, and simply navigating to a new page.
Stefan Evans
Bartender

Joined: Jul 06, 2005
Posts: 1016
Tuna Töre wrote:
There is an example jsp code to get the user session;




OR you could just use the implicit variable "session" already defined for you on the JSP. Your choice.

Regarding detecting a closed browser, the only way is client side. The server can't distinguish between a browser that is closed, and a browser that is just no longer sending requests.
The window.onunload event detection is a possible solution, if a bit hacky.
The suggestion I have seen is to use a frameset with two frames. The 'main' frame displays your app, and the second frame is of size 0, and is where you put the window.onunload event. So you will only trigger the onunload event if you completely leave your app, or close the browser window.

Of course whether the onunload event manages to send a "I am closing" event to the server before being closed is another matter.

 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Killing session when closing the browser
 
Similar Threads
Why is javascript function called even before onClick?
Very funny behavior of sessions...
Session counting problem
problem in logout procedure
Session Invalidate