• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Session Doubt?

 
Ranch Hand
Posts: 10198
3
Mac PPC Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Ranchers,

I have a doubt regarding sessions and browsers. The following is what David Bridgewater's book says on sessions,

But what if this user, despite repeated and prolonged training followed up with heavy threats, just closes the browser window? The session is over because the client has gone. Even if the user reopens the browser and connects back to the same web application, the web container will interpret this as a new session.


When I tried this using the code as below,



When I ran it, I opened the browser and accessed the servlet and it printed "This is a new session" - for the first request

Then when I closed the browser and opened it again and accessed the servlet, it gave me "This is an already existing session" I'm confused as it contradicts to what the book says??

Any idea guys?
[ April 25, 2007: Message edited by: Jothi Shankar Kumar Sankararaj ]
 
Sheriff
Posts: 14691
16
Eclipse IDE VI Editor Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Some containers, like Tomcat, have options to serialize the session. This is the default behaviour in Tomcat (expireSessionsOnShutdown=false).
 
Joe San
Ranch Hand
Posts: 10198
3
Mac PPC Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Satou,

You are talking about browser shutdown?? Where can I set the expireSessionsOnShutdown=false??
 
Christophe Verré
Sheriff
Posts: 14691
16
Eclipse IDE VI Editor Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Sorry, wrong property. This was "saveOnRestart" :
saveOnRestart : Should all sessions be persisted and reloaded when Tomcat is shut down and restarted (or when this application is reloaded)? By default, this attribute is set to true.

Refer to the following :
http://tomcat.apache.org/tomcat-5.5-doc/config/manager.html
 
Joe San
Ranch Hand
Posts: 10198
3
Mac PPC Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Satou,

I'm talking about closing and opening a browser and not about restarting tomcat!
 
Christophe Verré
Sheriff
Posts: 14691
16
Eclipse IDE VI Editor Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
My mistake, sorry. I don't know about closing the browser.
 
Christophe Verré
Sheriff
Posts: 14691
16
Eclipse IDE VI Editor Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Maybe because the session is stored in a cookie, and you are setting its max age to a positive integer. So the session cookie will still be present until the time elapses. I'm not sure about Bridgewater's point.
 
Ranch Hand
Posts: 135
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Jothi,

I am not sure whether the issue is with your browser or anything else, but when I tried your code on my system it works as intended, so the statement given in the book is correct. When I open the browser for first time I get new session, if I refresh it I get old session and if I close the browser and reopen it again I get new session, as expected. So I can assure you that once browser is closed and reopened again a new session has to get establish since the JSESSIONID cookie has max age set to -1.

Thanks,
-Rancy
 
Joe San
Ranch Hand
Posts: 10198
3
Mac PPC Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Rancy,

Are you using Mozilla firefox??
 
Rancy Chadha
Ranch Hand
Posts: 135
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I tried on two browsers IE ver 6.0 and Mozilla Firefox. It works in the intended manner for both the browsers.

Thanks,
-Rancy
 
Joe San
Ranch Hand
Posts: 10198
3
Mac PPC Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Strange! I dont know why it is not behaving as intended!!
 
Ranch Hand
Posts: 109
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Jyoti,

I am with you... Its not behaving as intended for me as well... I am using Tomcat 5.5.23 with IE 6.0
 
Christophe Verré
Sheriff
Posts: 14691
16
Eclipse IDE VI Editor Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
By curiosity, I also tried it. The session cookie is deleted when I close Firefox. I had a JSESSIONID set to be killed when session ends (you can check cookies in Firefox, Tools/Option/Privacy). Restarting Firefox, and accessing the same page shows that a new session is created. Same for IE6. No problem.
 
Joe San
Ranch Hand
Posts: 10198
3
Mac PPC Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Any others who tried this?? I want to know the answer??
 
Chetan Raju
Ranch Hand
Posts: 109
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I guess it should be definitely to do something with the browser setting. The JSESSIONID cookie's timeout is always set to -1 which means that the cookie should be invalid/deleted once the browser is closed. That is somehow not happening ?
 
Ranch Hand
Posts: 218
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
As per HFSJ, a session can be destroyed in one of the following 3 cases:

1) Session is invalidated by user (through invalidate())
2) Session times out
3) Application crashes

In light of the above discussion, if the user open a new window before 300 seconds elapse, do you still expect a new session to be created? Would that not be contradictory to the specification?
 
Joe San
Ranch Hand
Posts: 10198
3
Mac PPC Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Aniket,

I tried with 30 instead of 300 but still I'm not getting the expected behavior!
 
Ranch Hand
Posts: 95
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

This issue is with the Browser Settings.
Reason: Cookies are not recycled(deleted) even after browser is closed.


Hey "Jothi Shankar Kumar Sankararaj" do one thing,

For Mozilla:

1. Click on Tools >> Options >> Privacy.
2. Enable "Alwasy clear my private data when I cloase Firefox".
3. Click on "settings" buttons which appears adjacent to "Alwasy clear my private data when I cloase Firefox" check box.
4. Enable "Cookies" option.

And then give a try!!! I hope it should work.


Regards,

Amit Goyal
 
Joe San
Ranch Hand
Posts: 10198
3
Mac PPC Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Amit,

But this is fine, the HFSJ book on page 273 for the question 3 it says that there is no mechanism in the HTTP protocol to invalidate session when we close the browser

Doesn't this contradict to what has been said in David Bridgewater's book??
 
Chetan Raju
Ranch Hand
Posts: 109
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Amit Goyal:
Hi,

This issue is with the Browser Settings.
Reason: Cookies are not recycled(deleted) even after browser is closed.


Hey "Jothi Shankar Kumar Sankararaj" do one thing,

For Mozilla:

1. Click on Tools >> Options >> Privacy.
2. Enable "Alwasy clear my private data when I cloase Firefox".
3. Click on "settings" buttons which appears adjacent to "Alwasy clear my private data when I cloase Firefox" check box.
4. Enable "Cookies" option.

And then give a try!!! I hope it should work.


Regards,

Amit Goyal



But Amit, shouldn't the JSESSIONID which is set, be cleared automatically whenever the browser is closed without manually doing it as you said above ?
 
Ranch Hand
Posts: 77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi all,
There are two kind of cookies. Dyanamic cookie and persistance cookie. when you set the max age of cookie to -1, you will get a dyanamic cookie. and on the other hand when you specify a time for the max age of cookie you will get a persistance cookie. this persistance cookie will be persistance for the time specified.

in case of dyanamic cookie, each time a browser is opened a new session is created. But in the case of persistance cookie, a new session is created for the first time but if you open next time the browser, within the age of cookie, a new session is not created instead the same session is used as it is available in the cookie to the browser.

So in your example, you have created a persisitance cookie that stays alive for 300 seconds. So when you tried to open the second time , the cookie was alive and was used to get the previous session that was created when you first opened the browser.

and in the case of Rancy , i hope the browser doesn't support cookie itself. so a new session was created each time ,a new browser was opened.

i Hope you understood the problem .

regards,
Arjun.
 
Joe San
Ranch Hand
Posts: 10198
3
Mac PPC Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Arjun,

From where did this terminologies come from?? Dynamic and persistence cookies??
 
Ranch Hand
Posts: 78
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi all,

New browser is showing:

Hi Stein This is a new session
 
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
did you not try to invalidate the session whenever user closes the window by using java script.Try it.

Session object remains in the server memory untill 3 above told conditions are not satisfied.

So when you close the window invalidate the session .
 
Amit Goyal
Ranch Hand
Posts: 95
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

But Amit, shouldn't the JSESSIONID which is set, be cleared automatically whenever the browser is closed without manually doing it as you said above ?



Hey Chetan, the settings I told are just one time setup you don't have to do it again and again.

Any ways, there are other ways to get around the situations, one can use url rewritting to managae session instead of Cookies.



Regards,

Amit Goyal
 
Joe San
Ranch Hand
Posts: 10198
3
Mac PPC Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The head first says, closing a browser window should not invalidate the session. So when you see a new session after closing and opening the browser, this seems something which is illogical and that too even after doing all the necessary settings.
 
Christophe Verré
Sheriff
Posts: 14691
16
Eclipse IDE VI Editor Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It's not an official source, but the following place says :
If Expires is not set explicitly, then it defaults to end-of-session. The length of a session can vary depending on browsers and servers, but generally a session is the length of time that the browser is open for (even if the user is no longer at that site).

(replace the first 'k' with a 'c')
http://www.kookiecentral.com/faq/#3.3


Another one :
http://www.jguru.com/faq/view.jsp?EID=125053
which states that However, as far as I can tell, there is no standard way to specify the age of the kookie the servlet container uses to drop the session ID on the browser.
 
Joe San
Ranch Hand
Posts: 10198
3
Mac PPC Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Satou,

Thanks for the links
 
Ranch Hand
Posts: 226
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

I am having issues with this too.

The JSESSIONID is stored in a cookie which has it's age set to -1.

In IE, restarting the browser deletes this cookie (as expected) and the browser prompts me for login details.

In firefox, the cookie wrongly persists, and the app still thinks I am logged in.

Would be keen to get to the bottom of this.

MG
 
Mark Garland
Ranch Hand
Posts: 226
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hm...

This issue with Firefox occurs when I am accessing the server on my local machine from a browser running on my local machine.

When my colleague accesses my server through Firefox, it works as expected (deleting the cookie).

Very odd.

MG
 
Ranch Hand
Posts: 90
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I tried in Mozilla Firefox, it works as documented in Bridgewater. This is kinda confusing, I don't know why we are seeing different results. Cookies are turned on in my browser.
 
Ranch Hand
Posts: 115
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Could any one give the JavaScript funcion for detecting the Browser shut down and invalidating the Session.. :
 
James Mark
Ranch Hand
Posts: 115
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
session will be there(till the timeout)....
It will welcome a cookie for sure(if matching)....
solution is....
Kill the Cookie.....
or you will be like
I suffered for a same situation in my Company Project...
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic