Win a copy of Murach's Python Programming this week in the Jython/Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

ending the session when browser is closed using ajax  RSS feed

 
suki sahu
Greenhorn
Posts: 21
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello,
I am trying to end the session when the browser is closed and for this i am calling logout.jsp using ajax. But this is not useful. Can any body please point out the error please.
 
Siddique Ansari
Greenhorn
Posts: 21
 
suki sahu
Greenhorn
Posts: 21
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think this is in .net and i am not aware of the same
 
Tim Holloway
Bartender
Posts: 18531
61
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This is not reliable. If the browser crashes, then the JavaScript will not execute. Nor will it execute if the user has JavaScript disabled. It can also lead to problems for people like me who open multiple tabs on the same application - for example, when I'm shopping a web store and want to compare various possible purchases without continually re-fetching pages.

The safest way to manage something like this is to shorten the web.xml timeout value to whatever is reasonable for the application.

If you do intend to send a formal logout notification, I suggest that you preceed it with a confirmation dialog.

And if you really have IE5/IE6 clients, I sympathize.
 
suki sahu
Greenhorn
Posts: 21
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tim Holloway wrote:This is not reliable. If the browser crashes, then the JavaScript will not execute. Nor will it execute if the user has JavaScript disabled. It can also lead to problems for people like me who open multiple tabs on the same application - for example, when I'm shopping a web store and want to compare various possible purchases without continually re-fetching pages.

The safest way to manage something like this is to shorten the web.xml timeout value to whatever is reasonable for the application.

If you do intend to send a formal logout notification, I suggest that you preceed it with a confirmation dialog.

And if you really have IE5/IE6 clients, I sympathize.

Hi thanks for replying.
I would like to tell you that i have a page which is having a form containing some 60 fields.
Suppose if i short the timeout(say 60 seconds) then by the time user is filling the form ,session will be expired.
If i do not short the session timeout and if before logout if the user closes the browser then it will not allow to login again unless the session is expired(because i have created a field in DB status.When the session is created session is active and when the session is destroyed status is inactive. Login can only happen if the status is inactive).
I think you have understood my requirement,Please ask me if you need more Information.
Thanks in advance
 
Tim Holloway
Bartender
Posts: 18531
61
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I don't know if I understand perfectly, but I'll try.

60 seconds is definitely too short. 5-10 minutes is more appropriate. Maybe 15 for a really complex form like that. You might also want to have the page periodically "ping" the server via AJAX to keep from expiring, but to stay secure, that would require some Javascript that keeps track of people typing so that an unattended screen wouldn't be left vulnerable.

I don't know what "created a field in DB status" is, but you can add a sessionListener to your webapp that can cancel any work in progress in the event of a session being terminated. Unlike client-side timeouts, this should always work. In fact, it should theoretically even work if you send a shutdown request to the webapp while users are logged in.

From a user-interface perspective, however, 60 fields on a single form is quite a lot. You might want to consider splitting it into multiple screens.
 
suki sahu
Greenhorn
Posts: 21
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tim Holloway wrote:I don't know if I understand perfectly, but I'll try.



I don't know what "created a field in DB status" is, but you can add a sessionListener to your webapp that can cancel any work in progress in the event of a session being terminated. Unlike client-side timeouts, this should always work. In fact, it should theoretically even work if you send a shutdown request to the webapp while users are logged in.


See i am prohibiting multiple login's. If username A is logged in your computer then Same username A can not be logged in from my computer unless he logsout(Hope you understand it).
So in order to do this i have created field in mysql database named as "status". Now when user a logs then the status is made is active. Suppose another person wants to login from my computer then it will not allow.

I am using sessionListener which make status as inactive when the session is either expired or user presses logout button.
if i can make a call to sessionListener or session.invalidate() or anything similar to that when the browser closes then my problem will be solved.
Please provide some idea to handle this
 
Tim Holloway
Bartender
Posts: 18531
61
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The best way to prevent multiple logins is to give everyone their own login and outline severe penalties for sharing logins/passwords.

Based on what you are describing, however, I can virtually guarantee that you are not using the J2EE login security system, which means that security is almost certainly not very good anyway.

There is, as I mentioned originally, no reliable way to determine when a user has closed a browser window or terminated a browser application.
 
suki sahu
Greenhorn
Posts: 21
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tim Holloway wrote:

Based on what you are describing, however, I can virtually guarantee that you are not using the J2EE login security system, which means that security is almost certainly not very good anyway.


Thanks for this new idea. If you can tell me in brief how to use j2ee login system then i will implement in my application.
Thanks in advance and hoping for a positive and early response
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!