• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Session Doubt?

 
Joe Harry
Ranch Hand
Posts: 10128
3
Eclipse IDE Mac PPC Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ranchers,

I have a doubt regarding sessions and browsers. The following is what David Bridgewater's book says on sessions,

But what if this user, despite repeated and prolonged training followed up with heavy threats, just closes the browser window? The session is over because the client has gone. Even if the user reopens the browser and connects back to the same web application, the web container will interpret this as a new session.


When I tried this using the code as below,



When I ran it, I opened the browser and accessed the servlet and it printed "This is a new session" - for the first request

Then when I closed the browser and opened it again and accessed the servlet, it gave me "This is an already existing session" I'm confused as it contradicts to what the book says??

Any idea guys?
[ April 25, 2007: Message edited by: Jothi Shankar Kumar Sankararaj ]
 
Christophe Verré
Sheriff
Posts: 14691
16
Eclipse IDE Ubuntu VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Some containers, like Tomcat, have options to serialize the session. This is the default behaviour in Tomcat (expireSessionsOnShutdown=false).
 
Joe Harry
Ranch Hand
Posts: 10128
3
Eclipse IDE Mac PPC Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Satou,

You are talking about browser shutdown?? Where can I set the expireSessionsOnShutdown=false??
 
Christophe Verré
Sheriff
Posts: 14691
16
Eclipse IDE Ubuntu VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sorry, wrong property. This was "saveOnRestart" :
saveOnRestart : Should all sessions be persisted and reloaded when Tomcat is shut down and restarted (or when this application is reloaded)? By default, this attribute is set to true.

Refer to the following :
http://tomcat.apache.org/tomcat-5.5-doc/config/manager.html
 
Joe Harry
Ranch Hand
Posts: 10128
3
Eclipse IDE Mac PPC Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Satou,

I'm talking about closing and opening a browser and not about restarting tomcat!
 
Christophe Verré
Sheriff
Posts: 14691
16
Eclipse IDE Ubuntu VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
My mistake, sorry. I don't know about closing the browser.
 
Christophe Verré
Sheriff
Posts: 14691
16
Eclipse IDE Ubuntu VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Maybe because the session is stored in a cookie, and you are setting its max age to a positive integer. So the session cookie will still be present until the time elapses. I'm not sure about Bridgewater's point.
 
Rancy Chadha
Ranch Hand
Posts: 135
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Jothi,

I am not sure whether the issue is with your browser or anything else, but when I tried your code on my system it works as intended, so the statement given in the book is correct. When I open the browser for first time I get new session, if I refresh it I get old session and if I close the browser and reopen it again I get new session, as expected. So I can assure you that once browser is closed and reopened again a new session has to get establish since the JSESSIONID cookie has max age set to -1.

Thanks,
-Rancy
 
Joe Harry
Ranch Hand
Posts: 10128
3
Eclipse IDE Mac PPC Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Rancy,

Are you using Mozilla firefox??
 
Rancy Chadha
Ranch Hand
Posts: 135
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I tried on two browsers IE ver 6.0 and Mozilla Firefox. It works in the intended manner for both the browsers.

Thanks,
-Rancy
 
Joe Harry
Ranch Hand
Posts: 10128
3
Eclipse IDE Mac PPC Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Strange! I dont know why it is not behaving as intended!!
 
Chetan Raju
Ranch Hand
Posts: 109
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Jyoti,

I am with you... Its not behaving as intended for me as well... I am using Tomcat 5.5.23 with IE 6.0
 
Christophe Verré
Sheriff
Posts: 14691
16
Eclipse IDE Ubuntu VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
By curiosity, I also tried it. The session cookie is deleted when I close Firefox. I had a JSESSIONID set to be killed when session ends (you can check cookies in Firefox, Tools/Option/Privacy). Restarting Firefox, and accessing the same page shows that a new session is created. Same for IE6. No problem.
 
Joe Harry
Ranch Hand
Posts: 10128
3
Eclipse IDE Mac PPC Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Any others who tried this?? I want to know the answer??
 
Chetan Raju
Ranch Hand
Posts: 109
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I guess it should be definitely to do something with the browser setting. The JSESSIONID cookie's timeout is always set to -1 which means that the cookie should be invalid/deleted once the browser is closed. That is somehow not happening ?
 
Aniket Patil
Ranch Hand
Posts: 218
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As per HFSJ, a session can be destroyed in one of the following 3 cases:

1) Session is invalidated by user (through invalidate())
2) Session times out
3) Application crashes

In light of the above discussion, if the user open a new window before 300 seconds elapse, do you still expect a new session to be created? Would that not be contradictory to the specification?
 
Joe Harry
Ranch Hand
Posts: 10128
3
Eclipse IDE Mac PPC Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Aniket,

I tried with 30 instead of 300 but still I'm not getting the expected behavior!
 
Amit Goyal
Ranch Hand
Posts: 95
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

This issue is with the Browser Settings.
Reason: Cookies are not recycled(deleted) even after browser is closed.


Hey "Jothi Shankar Kumar Sankararaj" do one thing,

For Mozilla:

1. Click on Tools >> Options >> Privacy.
2. Enable "Alwasy clear my private data when I cloase Firefox".
3. Click on "settings" buttons which appears adjacent to "Alwasy clear my private data when I cloase Firefox" check box.
4. Enable "Cookies" option.

And then give a try!!! I hope it should work.


Regards,

Amit Goyal
 
Joe Harry
Ranch Hand
Posts: 10128
3
Eclipse IDE Mac PPC Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Amit,

But this is fine, the HFSJ book on page 273 for the question 3 it says that there is no mechanism in the HTTP protocol to invalidate session when we close the browser

Doesn't this contradict to what has been said in David Bridgewater's book??
 
Chetan Raju
Ranch Hand
Posts: 109
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Amit Goyal:
Hi,

This issue is with the Browser Settings.
Reason: Cookies are not recycled(deleted) even after browser is closed.


Hey "Jothi Shankar Kumar Sankararaj" do one thing,

For Mozilla:

1. Click on Tools >> Options >> Privacy.
2. Enable "Alwasy clear my private data when I cloase Firefox".
3. Click on "settings" buttons which appears adjacent to "Alwasy clear my private data when I cloase Firefox" check box.
4. Enable "Cookies" option.

And then give a try!!! I hope it should work.


Regards,

Amit Goyal


But Amit, shouldn't the JSESSIONID which is set, be cleared automatically whenever the browser is closed without manually doing it as you said above ?
 
Arjun Karthick
Ranch Hand
Posts: 77
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all,
There are two kind of cookies. Dyanamic cookie and persistance cookie. when you set the max age of cookie to -1, you will get a dyanamic cookie. and on the other hand when you specify a time for the max age of cookie you will get a persistance cookie. this persistance cookie will be persistance for the time specified.

in case of dyanamic cookie, each time a browser is opened a new session is created. But in the case of persistance cookie, a new session is created for the first time but if you open next time the browser, within the age of cookie, a new session is not created instead the same session is used as it is available in the cookie to the browser.

So in your example, you have created a persisitance cookie that stays alive for 300 seconds. So when you tried to open the second time , the cookie was alive and was used to get the previous session that was created when you first opened the browser.

and in the case of Rancy , i hope the browser doesn't support cookie itself. so a new session was created each time ,a new browser was opened.

i Hope you understood the problem .

regards,
Arjun.
 
Joe Harry
Ranch Hand
Posts: 10128
3
Eclipse IDE Mac PPC Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Arjun,

From where did this terminologies come from?? Dynamic and persistence cookies??
 
Stein Vom
Ranch Hand
Posts: 78
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all,

New browser is showing:

Hi Stein This is a new session
 
sunil verma
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
did you not try to invalidate the session whenever user closes the window by using java script.Try it.

Session object remains in the server memory untill 3 above told conditions are not satisfied.

So when you close the window invalidate the session .
 
Amit Goyal
Ranch Hand
Posts: 95
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
But Amit, shouldn't the JSESSIONID which is set, be cleared automatically whenever the browser is closed without manually doing it as you said above ?


Hey Chetan, the settings I told are just one time setup you don't have to do it again and again.

Any ways, there are other ways to get around the situations, one can use url rewritting to managae session instead of Cookies.



Regards,

Amit Goyal
 
Joe Harry
Ranch Hand
Posts: 10128
3
Eclipse IDE Mac PPC Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The head first says, closing a browser window should not invalidate the session. So when you see a new session after closing and opening the browser, this seems something which is illogical and that too even after doing all the necessary settings.
 
Christophe Verré
Sheriff
Posts: 14691
16
Eclipse IDE Ubuntu VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It's not an official source, but the following place says :
If Expires is not set explicitly, then it defaults to end-of-session. The length of a session can vary depending on browsers and servers, but generally a session is the length of time that the browser is open for (even if the user is no longer at that site).

(replace the first 'k' with a 'c')
http://www.kookiecentral.com/faq/#3.3


Another one :
http://www.jguru.com/faq/view.jsp?EID=125053
which states that However, as far as I can tell, there is no standard way to specify the age of the kookie the servlet container uses to drop the session ID on the browser.
 
Joe Harry
Ranch Hand
Posts: 10128
3
Eclipse IDE Mac PPC Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Satou,

Thanks for the links
 
Mark Garland
Ranch Hand
Posts: 226
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I am having issues with this too.

The JSESSIONID is stored in a cookie which has it's age set to -1.

In IE, restarting the browser deletes this cookie (as expected) and the browser prompts me for login details.

In firefox, the cookie wrongly persists, and the app still thinks I am logged in.

Would be keen to get to the bottom of this.

MG
 
Mark Garland
Ranch Hand
Posts: 226
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hm...

This issue with Firefox occurs when I am accessing the server on my local machine from a browser running on my local machine.

When my colleague accesses my server through Firefox, it works as expected (deleting the cookie).

Very odd.

MG
 
Promod kumar
Ranch Hand
Posts: 90
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I tried in Mozilla Firefox, it works as documented in Bridgewater. This is kinda confusing, I don't know why we are seeing different results. Cookies are turned on in my browser.
 
James Mark
Ranch Hand
Posts: 115
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Could any one give the JavaScript funcion for detecting the Browser shut down and invalidating the Session.. :
 
James Mark
Ranch Hand
Posts: 115
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
session will be there(till the timeout)....
It will welcome a cookie for sure(if matching)....
solution is....
Kill the Cookie.....
or you will be like
I suffered for a same situation in my Company Project...
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic