Forums Register Login

Invalidating user session on browser window close

+Pie Number of slices to send: Send
Hi all,
I want to invalidate a HTTPSession when the client closes the browser window. Is it possible?
Any help is highly appreciated.
Thanks
+Pie Number of slices to send: Send
I initially thought "no, since the browser doesn't notify the server-side, there is no way to invalidate the session on browser close." But this didn't make sense when I thought of it. Log in to a site. Close all your browsers and then return. You'll be logged out. So it's possible someohow.


(for Tomcat) in conf/web.xml (or inside the individual application's WEB-INF/web.xml) there is a session configuration tag.

If you set the timeout to -1 that means "never" but I've seen some people say that it means "when the browser closes". So you might investigate if using -1 gives you the behaviour you want.
[ February 10, 2003: Message edited by: Mike Curwen ]
+Pie Number of slices to send: Send
Maybe it must be zero '0'. In that case the session (a cookie on clientsize) will not be saved as a file, only in the cache of the browser, or something like that.
Yours,
Mark Monster
+Pie Number of slices to send: Send
I've got another opinion:
It's not possible.
The reason that it appears to work for tomcat is in my opinion: Tomcat sends a temporary cookie which is not permanently saved on the browser. It contains the jsessionid. When the browser is closed the temporary cookie is discarded. After restarting and reconnecting tomcat finds that the browser doesn't send a jsessionid and thus creates a new session for this client. This creates the effect that you're logged off after exiting the browser.
Yours,
Stefan
+Pie Number of slices to send: Send
Stefan is exactly correct, the browser stores the session cookie in it's memory space and so if the browser is closed and a new one opened, the session cookie does not exist and hence a new one is created. This behaviour is not specific to tomcat. The thing to watch out for is that different browsers deal with the cookie differently (see here for more details).
You may be able to artifically create a notification when the browser closes using the javascript onUnload() command, but this isn't a great idea as many people disable that command due to is being used to create advertising popups.
+Pie Number of slices to send: Send
 

Originally posted by Pete Harris:
You may be able to artifically create a notification when the browser closes using the javascript onUnload() command, but this isn't a great idea as many people disable that command due to is being used to create advertising popups.


Yes off-course and some people do turn off the power of their computer or disconnect from the internet. So this doesn't work for every case.
What about this:
Create a kind of cookie listener, which destroys sessions after inactivity of 5 minutes or something.
+Pie Number of slices to send: Send
you don't need a cookie listener, every time the user clicks another link inside your application the session's maxinactiveinterval can be updated to the new value.
in any case stefan is totally right.
+Pie Number of slices to send: Send
 

Originally posted by Asher Tarnopolski:
you don't need a cookie listener, every time the user clicks another link inside your application the session's maxinactiveinterval can be updated to the new value.
in any case stefan is totally right.


This type of session management is done automatically by the servlet container. All that is required is to set the sesion timeout time in the web.xml file under the session-timeout tag. If no request is received within the time specified, the session is automatically invalidated.
+Pie Number of slices to send: Send
Thanks all for your ideas. Pete, you are very right that the servlet container does this type of session management. But I want this for a different reason. I have a web application which doesen't allow two logins of the same user. it stores the userid in ServletContext and then for each login checks whether the user is in the ServletContext or not. This is destroyed at the time of logout(when the user presses the logoff button). Now if the user closes the window the session is not terminated, and the same user will not be able to login till session-timeout. I wanted to avoid this. Is this possible?
+Pie Number of slices to send: Send
I've come across this before in a webapp I was writing and there is no satisfactory answer. If it's running on an internal company intranet or something where the environment is controlled, then the onUnload javascript will work as you will know excactly which browers and versions will be running and can test them.
Otherwise your only option (and this is the one I took) is to have standard timeouts controlled by the container, but also have a warning on the login screen saying that if you already have a session active, re-logging in will destroy the old session.
+Pie Number of slices to send: Send
Depending on the situation you can often make this approach a little smarter by storing something such as an IP address with the userid.
If the user tries to log on again from the same IP address before the session has expired, it's probably because they closed the browser. You should offer the choice of closing their old session and starting a new one.
if the user tries to log on again from a different IP address, then it is probably because the browser is still open on the old machine, and may mean that two people are using the same userid. In this case it's usually best to refuse the login with a message indicating that the user is already logged in elsewhere.
A much better solution, usually, is to build your application so that it doesn't care if the same user logs on twice. Makes testing much easier too!
Good heavens! What have you done! Here, try to fix it with this tiny ad:
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com


reply
reply
This thread has been viewed 7502 times.
Similar Threads
Pop up an alert or confirm message when the browser is closed
invalidating the session on closure of browser
How to track activesession
terminating session without cookies
How to invalidate the session on browser close.
Thread Boost feature
More...

All times above are in ranch (not your local) time.
The current ranch time is
Mar 28, 2024 13:25:43.