Solved

Invalidate session when user exists the window

Posted on 2002-04-09
33
538 Views
Last Modified: 2010-04-01
Hi,

I want to invalidate a session when user closes the window by pressing x button on right hand side of the window. How to do that?

thanks in adv.
0
Comment
Question by:rajendra_rathod
  • 13
  • 7
  • 4
  • +5
33 Comments
 
LVL 33

Expert Comment

by:knightEknight
Comment Utility
You can't ... the server will have no idea that a user has closed their browser.  However, you can probably set the session to expire after a certain amount of time ...
0
 
LVL 19

Expert Comment

by:cheekycj
Comment Utility
You can try this:

Trap the onUnLoad event:
function expireSession() {
           open("expireSession.jsp",'','width=250,height=250');
}
window.onunload=expireSession;

Now in expireSession.jsp you can do this:
<%@ page session="true" %>
<% session.invalidate(); %>

You have been logged out!


That should work in most scenarios.

CJ
0
 
LVL 33

Expert Comment

by:knightEknight
Comment Utility
yes, but that will open a new browser window, which may not be desirable ... so I would add this:

<%@ page session="true" %>
<% session.invalidate(); %>
<html>
<script language='javascript'>
top.close();
</script>
</html>
0
 
LVL 33

Expert Comment

by:knightEknight
Comment Utility
... but even that will invalidate the session if they click the back button, or click a link on the page, because both of these would also execute the onUnload event.
0
 
LVL 1

Author Comment

by:rajendra_rathod
Comment Utility
Then what to do?
0
 
LVL 19

Expert Comment

by:cheekycj
Comment Utility
if they close the window.. how will they click back?

Also make sure none of your session requring pages are cached using:

Actually, the best thing that works in IE is to have the following:
<%
response.addHeader("Pragma" , "No-cache") ;
response.addHeader("Cache-Control, "no-cache") ;
response.addDateHeader("Expires", 0);  
%>

BOTH in the head of the of page and bottom of the page (I read this in a message board and it seems

to work for me) so the final version would be as such:

<html>
<head>
<%
response.addHeader("Pragma" , "No-cache") ;
response.addHeader("Cache-Control, "no-cache") ;
response.addDateHeader("Expires", 0);  
%>
</head>
<body>

....

</body>
<%
response.addHeader("Pragma" , "No-cache") ;
response.addHeader("Cache-Control, "no-cache") ;
response.addDateHeader("Expires", 0);  
%>
</html>

This works in NS and IE.

HTH,
CJ
0
 
LVL 1

Author Comment

by:rajendra_rathod
Comment Utility
Hi,
But if user clicks on some other links then also onUnLoad event is firing.We want it only when user closes the browser.
0
 
LVL 19

Accepted Solution

by:
cheekycj earned 20 total points
Comment Utility
ok then you have to do this:

var currentDomain = ".yoursite.com";
leaving=true;
function myClick() {
 leaving=false;
}
function exitPage() {
  if (leaving) {
    open("expireSession.jsp",'','width=250,height=250');
  }
}
function initPage() {
  for (i=0;i<document.links.length;i++) {
    if (document.links[i].href.indexOf(currentDomain) != -1)
       document.links[i].onclick=myClick;
  }
  for (i=0;i<document.forms.length;i++) {
    if (document.forms[i].action.indexOf(currentDomain) != -1)
       document.forms[i].onsubmit=myClick;
  }
}
window.onload=initPage;
window.onunload=exitPage;

That should handle any links or forms submitted within your site.

CJ
0
 
LVL 33

Expert Comment

by:knightEknight
Comment Utility
what I mean is, the session will be invalidated even if they DON'T close the window, but merely by clicking on a link, or submiting a form, or on the back button, because all of these will also execute the onUnload event.
0
 
LVL 19

Expert Comment

by:cheekycj
Comment Utility
the last comment prevents that.

CJ
0
 
LVL 19

Expert Comment

by:cheekycj
Comment Utility
the only part where this code fails is if they retype the current url or hit reload.

I am not sure about back button.

But this is as close to trapping a user exiting that I know.

CJ
0
 
LVL 33

Expert Comment

by:knightEknight
Comment Utility
yes, but it will over-write any form onSubmit handlers, or any link onClick handlers that might be used in the page (which I admit, I use more that most).
0
 
LVL 19

Expert Comment

by:cheekycj
Comment Utility
probably, I don't use those.. so this was an easy fix.

There are probably was around it.. by manually editing forms and links that have it.. but then it becomes a
maintenance nightmare

CJ
0
 
LVL 4

Expert Comment

by:pellep
Comment Utility
I would argue that it is bad design to have to rely on sessions beeing destroyed as soon as the client closes the browser. There are ways to accomplish this, as you have seen in the previous comments, by using client side java script code. None of them 100% reliable though just for the fact that they ARE client side, thereby dependent on the users browser properly supporting all this functionality (a dangerous assumption indeed). My advise in this matter would be to re-evaluate you design with the assumption that sessions gets destroyed by the container (servlet-engine) when they are deemed invalid/timed out, not necessarily when the client is closed.

If you could elaborate on the reason WHY your design relies on knowing exactly when the browser is closed, maybe we could come with suggestions on how to get around that.

Regards PAP
0
 
LVL 19

Expert Comment

by:cheekycj
Comment Utility
I don't know if it is bad design.. the session when automatically expire due to inactivity.. what you are trying to prevent here (I am assuming) is that when you close your browser, someone doesn't come in and re-open the browser and become you.

Another option is to make your cookie that stores the SESSION ID (usually called JSESSIONID) a session only cookie.

CJ
0
 
LVL 33

Expert Comment

by:knightEknight
Comment Utility
if someone has figured out how to inherit the session of a closed browser, then they can just as easily steal the session of an open browser.  I agree, session management should be handled on the server.

But how do you set the session timeout value in JSP?
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 19

Expert Comment

by:cheekycj
Comment Utility
via your web.xml file. .it is valid for the entir web app, including servlets and JSPs.

CJ
0
 

Expert Comment

by:ahardy66
Comment Utility
Unfortunately onunload won't work in Netscape when the user closes the window with the top right X button. It will in IE, but not Netscape. I think it's the old Microsoft giving lots of leeway to the javascript, and Netscape thinking it's not something that javascript should have to worry about.

Just my 2cents

Adam
0
 
LVL 19

Expert Comment

by:cheekycj
Comment Utility
It works in Mozilla and NS 6 (I believe I remember testing on those)  I am not sure about NS 4.x

CJ
0
 
LVL 2

Expert Comment

by:coreyit
Comment Utility
If the concern really is about another user coming and stealing the previous user's session, I don't think you've got a problem. A new browser instance will be assigned a new session (unless it's spawned from the same window which negates the "closes the window by pressing x button" point). This means that a closed browser, while the session still exists on the server until it times out, will effectively end the session from the client perspective.

If the concern is for disk space or similar, then you could either resort to a client-side possibility as mentioned above, or improve your design so that session objects have a smaller footprint or shorter life span.

-corey
0
 
LVL 1

Author Comment

by:rajendra_rathod
Comment Utility
Hi,

We are handling concurrency control in our application. so another reason is i would like to release that record as soon as user closes the window otherwise it remains locked until session time out.


Raj
0
 
LVL 4

Expert Comment

by:pellep
Comment Utility
Hi again,

If concurrency is the issue, I would suggest you maintain locks on a per-request basis, rather than a per-session. Meaning that whatever resource you are locking, you should only maintain the lock for the duration of the page execution.
I assume the resource you are locking is some sort of database with pessimistic page locking. One thing to try, if this is the case, is to issue 'commit transaction' commands to the db after the request is executed (providing you are using a transactional db, of course).
Anyway, just an idea.

Regards PAP
0
 
LVL 1

Author Comment

by:rajendra_rathod
Comment Utility
Hi,
Actually it is nothing to do with database . We are generating tree of Entities and as soon as user selects perticular entity it will be locked so when other user tries to select same entity he get all of the details in read-only mode.To do this we need to store entity in application scope.

Regards,

Raj
0
 
LVL 19

Expert Comment

by:cheekycj
Comment Utility
corey: I am not sure about your comment. I know some servlet engines re-use/recycle JSESSION ID.. so if that is the case then its not gaurunteed that you will have a new session when you close the old browser and open a new one.  Unless you make sure that JSESSION ID is a session only cookie.

CJ
0
 
LVL 19

Expert Comment

by:cheekycj
Comment Utility
>soon as user selects perticular entity it will be locked

for how long?  As long as they have their window open/session alive or are there other factors?
0
 
LVL 13

Expert Comment

by:Philip Pinnell
Comment Utility
>But how do you set the session timeout value in JSP?

>via your web.xml file. .it is valid for the entir web app, including servlets and JSPs.

Also programmaticaly with setMaxInactiveInterval(), a method of javax.servlet.http.HttpSession.

0
 
LVL 1

Expert Comment

by:Moondancer
Comment Utility
ADMINISTRATION WILL BE CONTACTING YOU SHORTLY.  Moderators Computer101 or Netminder will return to finalize these if they are still open in 14 days.  Experts, please post closing recommendations before that time.

Below are your open questions as of today.  Questions which have been inactive for 21 days or longer are considered to be abandoned and for those, your options are:
1. Accept a Comment As Answer (use the button next to the Expert's name).
2. Close the question if the information was not useful to you, but may help others. You must tell the participants why you wish to do this, and allow for Expert response.  This choice will include a refund to you, and will move this question to our PAQ (Previously Asked Question) database.  If you found information outside this question thread, please add it.
3. Ask Community Support to help split points between participating experts, or just comment here with details and we'll respond with the process.
4. Delete the question (if it has no potential value for others).
   --> Post comments for expert of your intention to delete and why
   --> YOU CANNOT DELETE A QUESTION with comments; special handling by a Moderator is required.

For special handling needs, please post a zero point question in the link below and include the URL (question QID/link) that it regards with details.
http://www.experts-exchange.com/jsp/qList.jsp?ta=commspt
 
Please click this link for Help Desk, Guidelines/Member Agreement and the Question/Answer process.  http://www.experts-exchange.com/jsp/cmtyHelpDesk.jsp

Click you Member Profile to view your question history and please keep them updated. If you are a KnowledgePro user, use the Power Search option to find them.  

Questions which are LOCKED with a Proposed Answer but do not help you, should be rejected with comments added.  When you grade the question less than an A, please comment as to why.  This helps all involved, as well as others who may access this item in the future.  PLEASE DO NOT AWARD POINTS TO ME.

To view your open questions, please click the following link(s) and keep them all current with updates.
http://www.experts-exchange.com/questions/Q.20085334.html
http://www.experts-exchange.com/questions/Q.20097573.html
http://www.experts-exchange.com/questions/Q.20118335.html
http://www.experts-exchange.com/questions/Q.20121382.html
http://www.experts-exchange.com/questions/Q.20138443.html
http://www.experts-exchange.com/questions/Q.20165175.html
http://www.experts-exchange.com/questions/Q.20182803.html
http://www.experts-exchange.com/questions/Q.20269918.html
http://www.experts-exchange.com/questions/Q.20286564.html
http://www.experts-exchange.com/questions/Q.20287064.html
http://www.experts-exchange.com/questions/Q.20286574.html
http://www.experts-exchange.com/questions/Q.20293622.html
http://www.experts-exchange.com/questions/Q.20293617.html



*****  E X P E R T S    P L E A S E  ******  Leave your closing recommendations.
If you are interested in the cleanup effort, please click this link
http://www.experts-exchange.com/jsp/qManageQuestion.jsp?ta=commspt&qid=20274643
POINTS FOR EXPERTS awaiting comments are listed in the link below
http://www.experts-exchange.com/commspt/Q.20277028.html
 
Moderators will finalize this question if in @14 days Asker has not responded.  This will be moved to the PAQ (Previously Asked Questions) at zero points, deleted or awarded.
 
Thanks everyone.
Moondancer
Moderator @ Experts Exchange
0
 
LVL 19

Expert Comment

by:cheekycj
Comment Utility
great input from various experts.. 20 pts is too few to split btw the deserving experts so I would recommend a PAQ.

CJ
0
 
LVL 1

Expert Comment

by:Moondancer
Comment Utility
Good point, CJ, especially since "easy" questions begin at 50 points and rajendra_rathod posted at only 20 points.

Let us give this a few days and see if Asker is willing to increase this and award points to all who helped.

Moondancer - EE Moderator
0
 
LVL 33

Expert Comment

by:knightEknight
Comment Utility
only a B on a 20 pt question ... I'll remember that next time I see a question from him.
0
 
LVL 1

Expert Comment

by:Moondancer
Comment Utility
Since I did request comments if the grade was less than an "A", and received none, can only assume (based on the information given here) that the "B" was chosen in error and corrected it.
Thanks,
Moondancer - EE Moderator
0
 
LVL 19

Expert Comment

by:cheekycj
Comment Utility
Thank you Moondancer.

CJ
0
 
LVL 1

Expert Comment

by:Moondancer
Comment Utility
:)
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

HOW TO: Install and Configure VMware vSphere Hypervisor 6.5 (ESXi 6.5), Step by Step Tutorial with screenshots. From Download, Checking Media, to Completed Installation.
HOW TO: Upload an ISO image to a VMware datastore for use with VMware vSphere Hypervisor 6.5 (ESXi 6.5) using the vSphere Host Client, and checking its MD5 checksum signature is correct.  It's a good idea to compare checksums, because many installat…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now