4

I have a jsp servlet based application, with session time out of 30 mins, I want to invalidate the session as soon as a person closes the browser window intentionally or accidentally (OS shutdown/close from tast manager/powerdown)

Can I put a check for that and invalidate the session?

jzd
  • 23,473
  • 9
  • 54
  • 76
Varun
  • 5,001
  • 12
  • 54
  • 85

4 Answers4

3

It is not possible to handle this scenario .

There are some browsers which provide this setting as their preference , but you can't handle this programitically.

At max:

You can make a poll from page(may be header) same as gtalk in gmail as soon as connection closes wipe that session out.

jmj
  • 237,923
  • 42
  • 401
  • 438
  • @ororg.life.java - Jigar Joshi - dint get you – Varun Jan 17 '11 at 12:44
  • 2
    *for later part* you might have used google chat from gmail from web browser in that you mighthave observed that when connection closes it shows *trying in. . .* I am following that mechanism make continous poll to server when broswes closes or machine goes off it will stop and you can detect that now its time to invalidate the session , ofcource you need to make a well designed apttern for this otherwise there will be overhead of poll – jmj Jan 17 '11 at 12:47
  • comment is better than answer :) – jmj Jan 17 '11 at 12:47
  • You can use [DWR](http://directwebremoting.org/dwr/index.html) or jquery have a [look](http://stackoverflow.com/questions/1770785/reverse-ajax-jsp-servlet) at similar solution – jmj Jan 18 '11 at 07:23
1

  1. Why do you want to do that, you have already configured that in server that ,session should stay idle for 30 mins,after that it will expire in server.

  2. if you want to do that use the following javascript or jquery(better for cross browser) , when the browse close event happens send an ajax request to invalidate session by running following code in jsp (request.getSession(false).setMaxInactiveInteral(0);)

    From javascript 

    <body onbeforeunload="doAjaxCall();">

    (or)

jQuery(window).bind("beforeunload", function(){

// Do ajax request and dont wait for the response.

});

  3. You can implement the server push ajax polling , for example think that session is going to expire in another 2 seconds , send a server side request to client to invalidate the cookie and also in the server you can invalidate the session.

if ( (getcurrentTime() - session.getCreationTime()) > 2000 ) {
}
  1. While the page is rendered , get the maxinactiveinterval and then set the value to the JavaScript variable , then use setInterval function , pass the inactiveinterval value to function , once the timeout happens you can set the cookie to expire.
Dead Programmer
  • 12,427
  • 23
  • 80
  • 112
  • Sending ajax requests inside an `beforeunload` or `unload` event is not supported by the most browsers, so you should certainly not rely on this. Just let the session expire or make its lifetime short and use polling to keep it alive. – BalusC Jan 17 '11 at 13:27
0

No I don't believe you can do that as there are no hooks available in the browser to get it to send a disconnect notification (of some sort) when it closes and I don't think there is a server-side mechanism to interrogate recent sessions to test their connection status.

trojanfoe
  • 120,358
  • 21
  • 212
  • 242
0

If you are using tomcat 5.0/5.5/6.0 container, the cookie generated by tomcat session manager to track the session (JSESSIONID) is a per-session cookie (browser memory only cookie) instead of a persistent cookie (write to disk). That's because the session manager does (hardcoded) setMaxAge(-1), so that the generated HTTP-response contains: Set-Cookie: JSESSIONID=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX; Path=/ and no Expire=date.

So when the browser is closed (all browser windows, or just the window containing the cookie, depending on the variuos browser implementations), the cookie - and the session - are lost. [*]

This has nothing to do with <session-timeout>, which is a setting that tells the tomcat server-side session manager to expire sessions when idle for more time than specified.

[*] they will still be persisted on disk on the server-side, till session-timeout expires, but there wont be a request with a cookie activating them.

guido
  • 18,864
  • 6
  • 70
  • 95