Win a copy of The Java Performance Companion this week in the Performance forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Session Invalidate -- Many ways

 
Gurumurthy Ramamurthy
Ranch Hand
Posts: 273
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Guys:

The session can be invalidated by the following ways:

1. calling invalidate() method
2. Allowing the server to time-out the session

Also, I wonder if we close the browser (the user was in session and a session id was maintained), and open a new browser with same URL (forget about username/password..it is a clean URL without authentication...like counter servlet):

1. Same session id would be maintained? or
new session id would be created?
2. What happens if I append the URL with jsessionid=<session-id-number>?

Thanks a lot,
Guru
[ July 24, 2006: Message edited by: Bear Bibeault ]
 
Harish Tiruvile
Ranch Hand
Posts: 99
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi , Gurumurthy Ramamurthy

Every server will maintained session for specific amount of time,...if you open the window once again before that time elapse,then definitely Same session id will be used...

Because when u sent Session ID in Header ...server will check whether it is a valid Session ID or not(Here Valid means whether it exist in server or not)....So , i think same session ID will be used



New session Id will be created only if
1.your session time-out occured
2.if you have not enabled cookie and not using sessionID in URL....
[ July 24, 2006: Message edited by: harish thrivile ]
 
Gurumurthy Ramamurthy
Ranch Hand
Posts: 273
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No.

In my testcase, I have found the folloiwin on weblogic server

1. If you open new browser with URL alone, it creates a new session id.
2. If you refresh in the same browser, same session id is used
3. If you open a new broser with URL appended jsessionid, same session id is used.

Thanks,
Guru
 
Harish Tiruvile
Ranch Hand
Posts: 99
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
1. If you open new browser with URL alone, it creates a new session id

yes...it is correct ...Because...if you are not sending sessionID then how will server recognize you...you have to send sessionID to server,here you told you are not sending it through URL(& if your cookie is disabled then server cannot identify you ),So,no sessionID to resognize the session, So it will create new SessionID thinking that you are asking for that resourse for the first time


2.If you refresh in the same browser, same session id is used

Here ,since you have already accessed the server , server have sent sessionId (may be appended to URL or store that in cookie...it depends whether u enabled\disabled cookie).....if it is written in URL then,when u press refresh button ,since you are having Session ID appended in URL..same session ID will be used(if time out has not elapsed)

3.If you open a new broser with URL appended jsessionid, same session id is used.

thats correct ..because server can identify you through Session id ,so no need to create another session id(ofcource if time out has not occured)....
[ July 24, 2006: Message edited by: harish thrivile ]
 
Pavan Kashyap
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all,
I agree to all the points mentioned above.
The same session can be maintained no matter u close the browzer,or refresh or you give session-id...but before the time elapses...
 
Romi Dave
Greenhorn
Posts: 26
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So how do you invalidate a session when the user closes the browser window? :roll:

Thanks,
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Romi Dave:
So how do you invalidate a session when the user closes the browser window? :roll:

Thanks,


The server (where servlets live) doesn't know if a user has closed the browser window. So, in this case, the session will just time out.
If the user opens a new browser and makes a request to your app, it will start a new session.

(if you're using url re-writing and the user manually enters the URL or has had it bookmarked, it could be possible to re-join this session if they hit your app before the session has timed out but this is a fringe case).
 
Romi Dave
Greenhorn
Posts: 26
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So is there a way by which we can invalidate a session when the browser window is closed and not let it just time out? This issue has been troubling me for few days now...

Thanks,
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic