J2EE Certificate qs on sessions

Which of the following actions will cause a session to be expunged in a web application? [Check all correct answers]



1. Navigating to a different web site or web application.
2. Closing the web browser.
3. The client does not send a request to the web application for a length of time that exceeds the session timeout value of the associated session object in the application.
4. Accessing a resource which causes the associated session to be explicity invalidated by making a call to the invalidate() method of the session.

Answers given 3,4

My doubt why is option 2 not correct ?
I thought the session automatically ends once you clode browser

Thanks in advance
Shiva

Hi,
Option 2 is not correct because by closing browser you only quit from request scope, remember all request attributes will get lost as you will close the browser.

Session scope exists across multiple requests, closing browser doesn't indicate to the Web sever that no other request will be sent by the same client.

Hi

Let me explain my doubt using a practical example

I logged into javaranch then closed the browser .

When i opened it again ( almost immediately) it still
showed as logged in .

I guess this is using the jsessionid cookie

But isnt the cookie to expire once i close the browser (default setting for
cookie). If not can you explain this to me a bit more clearly

Thanks a lot
Shiva

Hi,
You are right javaranch is using cookie that is stored in cookies folder within windows directory.First check the contents of cookie file stored by javaranch. You will find your login name,password and jsessionid along with other information.
If cookies are enabled by your browser and you did not log out last time whenever you browsed the website, you will always find yourself logged in automatically because of your info that is stored in cookie file. Sessions don't play any role here so it does not matter session is alive or not. Don't relate this case with the life of session or your main problem of closing a browser.

Let's come to the point!
Cookies never expire, it's only jsessionid that is declared invalid by the webserver. Decisions regarding to session expiration is a policy of jvaranch that we can't discuss. Whenever you place a request to the web server jsessionid is added as a part of request header by your browser.

Now think, how can a webserver know that no other request will be sent by the client? To solve this problem sessions are managed by the server.

If you send a request then close the browser and again send a request, webserver could never know that you closed the browser once between two requsts if session is not timed out(depends upon policies).

I think it's clear now that by closing browser you can never indicate to server that you willn't send any request now or you have completed your work. If it's so, how can a session get expired by the server on the closing event?


Please read my previous post again.

Hope, it will help you.

Hi Prateesh ,

Thanks a ton for your detailed answer
I think i finally got it

Thanks
Shiva