?
Solved

Invalidate session when user exists the window

Posted on 2002-04-09
33
Medium Priority
?
553 Views
Last Modified: 2010-04-01
Hi,

I want to invalidate a session when user closes the window by pressing x button on right hand side of the window. How to do that?

thanks in adv.
0
Comment
Question by:rajendra_rathod
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 13
  • 7
  • 4
  • +5
33 Comments
 
LVL 33

Expert Comment

by:knightEknight
ID: 6928544
You can't ... the server will have no idea that a user has closed their browser.  However, you can probably set the session to expire after a certain amount of time ...
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 6928621
You can try this:

Trap the onUnLoad event:
function expireSession() {
           open("expireSession.jsp",'','width=250,height=250');
}
window.onunload=expireSession;

Now in expireSession.jsp you can do this:
<%@ page session="true" %>
<% session.invalidate(); %>

You have been logged out!


That should work in most scenarios.

CJ
0
 
LVL 33

Expert Comment

by:knightEknight
ID: 6928667
yes, but that will open a new browser window, which may not be desirable ... so I would add this:

<%@ page session="true" %>
<% session.invalidate(); %>
<html>
<script language='javascript'>
top.close();
</script>
</html>
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 33

Expert Comment

by:knightEknight
ID: 6928673
... but even that will invalidate the session if they click the back button, or click a link on the page, because both of these would also execute the onUnload event.
0
 
LVL 1

Author Comment

by:rajendra_rathod
ID: 6928686
Then what to do?
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 6928699
if they close the window.. how will they click back?

Also make sure none of your session requring pages are cached using:

Actually, the best thing that works in IE is to have the following:
<%
response.addHeader("Pragma" , "No-cache") ;
response.addHeader("Cache-Control, "no-cache") ;
response.addDateHeader("Expires", 0);  
%>

BOTH in the head of the of page and bottom of the page (I read this in a message board and it seems

to work for me) so the final version would be as such:

<html>
<head>
<%
response.addHeader("Pragma" , "No-cache") ;
response.addHeader("Cache-Control, "no-cache") ;
response.addDateHeader("Expires", 0);  
%>
</head>
<body>

....

</body>
<%
response.addHeader("Pragma" , "No-cache") ;
response.addHeader("Cache-Control, "no-cache") ;
response.addDateHeader("Expires", 0);  
%>
</html>

This works in NS and IE.

HTH,
CJ
0
 
LVL 1

Author Comment

by:rajendra_rathod
ID: 6928719
Hi,
But if user clicks on some other links then also onUnLoad event is firing.We want it only when user closes the browser.
0
 
LVL 19

Accepted Solution

by:
cheekycj earned 80 total points
ID: 6928735
ok then you have to do this:

var currentDomain = ".yoursite.com";
leaving=true;
function myClick() {
 leaving=false;
}
function exitPage() {
  if (leaving) {
    open("expireSession.jsp",'','width=250,height=250');
  }
}
function initPage() {
  for (i=0;i<document.links.length;i++) {
    if (document.links[i].href.indexOf(currentDomain) != -1)
       document.links[i].onclick=myClick;
  }
  for (i=0;i<document.forms.length;i++) {
    if (document.forms[i].action.indexOf(currentDomain) != -1)
       document.forms[i].onsubmit=myClick;
  }
}
window.onload=initPage;
window.onunload=exitPage;

That should handle any links or forms submitted within your site.

CJ
0
 
LVL 33

Expert Comment

by:knightEknight
ID: 6928757
what I mean is, the session will be invalidated even if they DON'T close the window, but merely by clicking on a link, or submiting a form, or on the back button, because all of these will also execute the onUnload event.
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 6928764
the last comment prevents that.

CJ
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 6928770
the only part where this code fails is if they retype the current url or hit reload.

I am not sure about back button.

But this is as close to trapping a user exiting that I know.

CJ
0
 
LVL 33

Expert Comment

by:knightEknight
ID: 6928784
yes, but it will over-write any form onSubmit handlers, or any link onClick handlers that might be used in the page (which I admit, I use more that most).
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 6928830
probably, I don't use those.. so this was an easy fix.

There are probably was around it.. by manually editing forms and links that have it.. but then it becomes a
maintenance nightmare

CJ
0
 
LVL 4

Expert Comment

by:pellep
ID: 6929271
I would argue that it is bad design to have to rely on sessions beeing destroyed as soon as the client closes the browser. There are ways to accomplish this, as you have seen in the previous comments, by using client side java script code. None of them 100% reliable though just for the fact that they ARE client side, thereby dependent on the users browser properly supporting all this functionality (a dangerous assumption indeed). My advise in this matter would be to re-evaluate you design with the assumption that sessions gets destroyed by the container (servlet-engine) when they are deemed invalid/timed out, not necessarily when the client is closed.

If you could elaborate on the reason WHY your design relies on knowing exactly when the browser is closed, maybe we could come with suggestions on how to get around that.

Regards PAP
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 6929292
I don't know if it is bad design.. the session when automatically expire due to inactivity.. what you are trying to prevent here (I am assuming) is that when you close your browser, someone doesn't come in and re-open the browser and become you.

Another option is to make your cookie that stores the SESSION ID (usually called JSESSIONID) a session only cookie.

CJ
0
 
LVL 33

Expert Comment

by:knightEknight
ID: 6929313
if someone has figured out how to inherit the session of a closed browser, then they can just as easily steal the session of an open browser.  I agree, session management should be handled on the server.

But how do you set the session timeout value in JSP?
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 6929357
via your web.xml file. .it is valid for the entir web app, including servlets and JSPs.

CJ
0
 

Expert Comment

by:ahardy66
ID: 6929676
Unfortunately onunload won't work in Netscape when the user closes the window with the top right X button. It will in IE, but not Netscape. I think it's the old Microsoft giving lots of leeway to the javascript, and Netscape thinking it's not something that javascript should have to worry about.

Just my 2cents

Adam
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 6930147
It works in Mozilla and NS 6 (I believe I remember testing on those)  I am not sure about NS 4.x

CJ
0
 
LVL 2

Expert Comment

by:coreyit
ID: 6930680
If the concern really is about another user coming and stealing the previous user's session, I don't think you've got a problem. A new browser instance will be assigned a new session (unless it's spawned from the same window which negates the "closes the window by pressing x button" point). This means that a closed browser, while the session still exists on the server until it times out, will effectively end the session from the client perspective.

If the concern is for disk space or similar, then you could either resort to a client-side possibility as mentioned above, or improve your design so that session objects have a smaller footprint or shorter life span.

-corey
0
 
LVL 1

Author Comment

by:rajendra_rathod
ID: 6930810
Hi,

We are handling concurrency control in our application. so another reason is i would like to release that record as soon as user closes the window otherwise it remains locked until session time out.


Raj
0
 
LVL 4

Expert Comment

by:pellep
ID: 6930827
Hi again,

If concurrency is the issue, I would suggest you maintain locks on a per-request basis, rather than a per-session. Meaning that whatever resource you are locking, you should only maintain the lock for the duration of the page execution.
I assume the resource you are locking is some sort of database with pessimistic page locking. One thing to try, if this is the case, is to issue 'commit transaction' commands to the db after the request is executed (providing you are using a transactional db, of course).
Anyway, just an idea.

Regards PAP
0
 
LVL 1

Author Comment

by:rajendra_rathod
ID: 6930831
Hi,
Actually it is nothing to do with database . We are generating tree of Entities and as soon as user selects perticular entity it will be locked so when other user tries to select same entity he get all of the details in read-only mode.To do this we need to store entity in application scope.

Regards,

Raj
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 6931169
corey: I am not sure about your comment. I know some servlet engines re-use/recycle JSESSION ID.. so if that is the case then its not gaurunteed that you will have a new session when you close the old browser and open a new one.  Unless you make sure that JSESSION ID is a session only cookie.

CJ
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 6931176
>soon as user selects perticular entity it will be locked

for how long?  As long as they have their window open/session alive or are there other factors?
0
 
LVL 13

Expert Comment

by:Philip Pinnell
ID: 6944715
>But how do you set the session timeout value in JSP?

>via your web.xml file. .it is valid for the entir web app, including servlets and JSPs.

Also programmaticaly with setMaxInactiveInterval(), a method of javax.servlet.http.HttpSession.

0
 
LVL 1

Expert Comment

by:Moondancer
ID: 6973978
ADMINISTRATION WILL BE CONTACTING YOU SHORTLY.  Moderators Computer101 or Netminder will return to finalize these if they are still open in 14 days.  Experts, please post closing recommendations before that time.

Below are your open questions as of today.  Questions which have been inactive for 21 days or longer are considered to be abandoned and for those, your options are:
1. Accept a Comment As Answer (use the button next to the Expert's name).
2. Close the question if the information was not useful to you, but may help others. You must tell the participants why you wish to do this, and allow for Expert response.  This choice will include a refund to you, and will move this question to our PAQ (Previously Asked Question) database.  If you found information outside this question thread, please add it.
3. Ask Community Support to help split points between participating experts, or just comment here with details and we'll respond with the process.
4. Delete the question (if it has no potential value for others).
   --> Post comments for expert of your intention to delete and why
   --> YOU CANNOT DELETE A QUESTION with comments; special handling by a Moderator is required.

For special handling needs, please post a zero point question in the link below and include the URL (question QID/link) that it regards with details.
http://www.experts-exchange.com/jsp/qList.jsp?ta=commspt
 
Please click this link for Help Desk, Guidelines/Member Agreement and the Question/Answer process.  http://www.experts-exchange.com/jsp/cmtyHelpDesk.jsp

Click you Member Profile to view your question history and please keep them updated. If you are a KnowledgePro user, use the Power Search option to find them.  

Questions which are LOCKED with a Proposed Answer but do not help you, should be rejected with comments added.  When you grade the question less than an A, please comment as to why.  This helps all involved, as well as others who may access this item in the future.  PLEASE DO NOT AWARD POINTS TO ME.

To view your open questions, please click the following link(s) and keep them all current with updates.
http://www.experts-exchange.com/questions/Q.20085334.html
http://www.experts-exchange.com/questions/Q.20097573.html
http://www.experts-exchange.com/questions/Q.20118335.html
http://www.experts-exchange.com/questions/Q.20121382.html
http://www.experts-exchange.com/questions/Q.20138443.html
http://www.experts-exchange.com/questions/Q.20165175.html
http://www.experts-exchange.com/questions/Q.20182803.html
http://www.experts-exchange.com/questions/Q.20269918.html
http://www.experts-exchange.com/questions/Q.20286564.html
http://www.experts-exchange.com/questions/Q.20287064.html
http://www.experts-exchange.com/questions/Q.20286574.html
http://www.experts-exchange.com/questions/Q.20293622.html
http://www.experts-exchange.com/questions/Q.20293617.html



*****  E X P E R T S    P L E A S E  ******  Leave your closing recommendations.
If you are interested in the cleanup effort, please click this link
http://www.experts-exchange.com/jsp/qManageQuestion.jsp?ta=commspt&qid=20274643 
POINTS FOR EXPERTS awaiting comments are listed in the link below
http://www.experts-exchange.com/commspt/Q.20277028.html
 
Moderators will finalize this question if in @14 days Asker has not responded.  This will be moved to the PAQ (Previously Asked Questions) at zero points, deleted or awarded.
 
Thanks everyone.
Moondancer
Moderator @ Experts Exchange
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 6978609
great input from various experts.. 20 pts is too few to split btw the deserving experts so I would recommend a PAQ.

CJ
0
 
LVL 1

Expert Comment

by:Moondancer
ID: 6979199
Good point, CJ, especially since "easy" questions begin at 50 points and rajendra_rathod posted at only 20 points.

Let us give this a few days and see if Asker is willing to increase this and award points to all who helped.

Moondancer - EE Moderator
0
 
LVL 33

Expert Comment

by:knightEknight
ID: 6980350
only a B on a 20 pt question ... I'll remember that next time I see a question from him.
0
 
LVL 1

Expert Comment

by:Moondancer
ID: 6980481
Since I did request comments if the grade was less than an "A", and received none, can only assume (based on the information given here) that the "B" was chosen in error and corrected it.
Thanks,
Moondancer - EE Moderator
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 6981330
Thank you Moondancer.

CJ
0
 
LVL 1

Expert Comment

by:Moondancer
ID: 6982221
:)
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Ready to get certified? Check out some courses that help you prepare for third-party exams.
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question