• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 561
  • Last Modified:

Invalidate session when user exists the window

Hi,

I want to invalidate a session when user closes the window by pressing x button on right hand side of the window. How to do that?

thanks in adv.
0
rajendra_rathod
Asked:
rajendra_rathod
  • 13
  • 7
  • 4
  • +5
1 Solution
 
knightEknightCommented:
You can't ... the server will have no idea that a user has closed their browser.  However, you can probably set the session to expire after a certain amount of time ...
0
 
cheekycjCommented:
You can try this:

Trap the onUnLoad event:
function expireSession() {
           open("expireSession.jsp",'','width=250,height=250');
}
window.onunload=expireSession;

Now in expireSession.jsp you can do this:
<%@ page session="true" %>
<% session.invalidate(); %>

You have been logged out!


That should work in most scenarios.

CJ
0
 
knightEknightCommented:
yes, but that will open a new browser window, which may not be desirable ... so I would add this:

<%@ page session="true" %>
<% session.invalidate(); %>
<html>
<script language='javascript'>
top.close();
</script>
</html>
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
knightEknightCommented:
... but even that will invalidate the session if they click the back button, or click a link on the page, because both of these would also execute the onUnload event.
0
 
rajendra_rathodAuthor Commented:
Then what to do?
0
 
cheekycjCommented:
if they close the window.. how will they click back?

Also make sure none of your session requring pages are cached using:

Actually, the best thing that works in IE is to have the following:
<%
response.addHeader("Pragma" , "No-cache") ;
response.addHeader("Cache-Control, "no-cache") ;
response.addDateHeader("Expires", 0);  
%>

BOTH in the head of the of page and bottom of the page (I read this in a message board and it seems

to work for me) so the final version would be as such:

<html>
<head>
<%
response.addHeader("Pragma" , "No-cache") ;
response.addHeader("Cache-Control, "no-cache") ;
response.addDateHeader("Expires", 0);  
%>
</head>
<body>

....

</body>
<%
response.addHeader("Pragma" , "No-cache") ;
response.addHeader("Cache-Control, "no-cache") ;
response.addDateHeader("Expires", 0);  
%>
</html>

This works in NS and IE.

HTH,
CJ
0
 
rajendra_rathodAuthor Commented:
Hi,
But if user clicks on some other links then also onUnLoad event is firing.We want it only when user closes the browser.
0
 
cheekycjCommented:
ok then you have to do this:

var currentDomain = ".yoursite.com";
leaving=true;
function myClick() {
 leaving=false;
}
function exitPage() {
  if (leaving) {
    open("expireSession.jsp",'','width=250,height=250');
  }
}
function initPage() {
  for (i=0;i<document.links.length;i++) {
    if (document.links[i].href.indexOf(currentDomain) != -1)
       document.links[i].onclick=myClick;
  }
  for (i=0;i<document.forms.length;i++) {
    if (document.forms[i].action.indexOf(currentDomain) != -1)
       document.forms[i].onsubmit=myClick;
  }
}
window.onload=initPage;
window.onunload=exitPage;

That should handle any links or forms submitted within your site.

CJ
0
 
knightEknightCommented:
what I mean is, the session will be invalidated even if they DON'T close the window, but merely by clicking on a link, or submiting a form, or on the back button, because all of these will also execute the onUnload event.
0
 
cheekycjCommented:
the last comment prevents that.

CJ
0
 
cheekycjCommented:
the only part where this code fails is if they retype the current url or hit reload.

I am not sure about back button.

But this is as close to trapping a user exiting that I know.

CJ
0
 
knightEknightCommented:
yes, but it will over-write any form onSubmit handlers, or any link onClick handlers that might be used in the page (which I admit, I use more that most).
0
 
cheekycjCommented:
probably, I don't use those.. so this was an easy fix.

There are probably was around it.. by manually editing forms and links that have it.. but then it becomes a
maintenance nightmare

CJ
0
 
pellepCommented:
I would argue that it is bad design to have to rely on sessions beeing destroyed as soon as the client closes the browser. There are ways to accomplish this, as you have seen in the previous comments, by using client side java script code. None of them 100% reliable though just for the fact that they ARE client side, thereby dependent on the users browser properly supporting all this functionality (a dangerous assumption indeed). My advise in this matter would be to re-evaluate you design with the assumption that sessions gets destroyed by the container (servlet-engine) when they are deemed invalid/timed out, not necessarily when the client is closed.

If you could elaborate on the reason WHY your design relies on knowing exactly when the browser is closed, maybe we could come with suggestions on how to get around that.

Regards PAP
0
 
cheekycjCommented:
I don't know if it is bad design.. the session when automatically expire due to inactivity.. what you are trying to prevent here (I am assuming) is that when you close your browser, someone doesn't come in and re-open the browser and become you.

Another option is to make your cookie that stores the SESSION ID (usually called JSESSIONID) a session only cookie.

CJ
0
 
knightEknightCommented:
if someone has figured out how to inherit the session of a closed browser, then they can just as easily steal the session of an open browser.  I agree, session management should be handled on the server.

But how do you set the session timeout value in JSP?
0
 
cheekycjCommented:
via your web.xml file. .it is valid for the entir web app, including servlets and JSPs.

CJ
0
 
ahardy66Commented:
Unfortunately onunload won't work in Netscape when the user closes the window with the top right X button. It will in IE, but not Netscape. I think it's the old Microsoft giving lots of leeway to the javascript, and Netscape thinking it's not something that javascript should have to worry about.

Just my 2cents

Adam
0
 
cheekycjCommented:
It works in Mozilla and NS 6 (I believe I remember testing on those)  I am not sure about NS 4.x

CJ
0
 
coreyitCommented:
If the concern really is about another user coming and stealing the previous user's session, I don't think you've got a problem. A new browser instance will be assigned a new session (unless it's spawned from the same window which negates the "closes the window by pressing x button" point). This means that a closed browser, while the session still exists on the server until it times out, will effectively end the session from the client perspective.

If the concern is for disk space or similar, then you could either resort to a client-side possibility as mentioned above, or improve your design so that session objects have a smaller footprint or shorter life span.

-corey
0
 
rajendra_rathodAuthor Commented:
Hi,

We are handling concurrency control in our application. so another reason is i would like to release that record as soon as user closes the window otherwise it remains locked until session time out.


Raj
0
 
pellepCommented:
Hi again,

If concurrency is the issue, I would suggest you maintain locks on a per-request basis, rather than a per-session. Meaning that whatever resource you are locking, you should only maintain the lock for the duration of the page execution.
I assume the resource you are locking is some sort of database with pessimistic page locking. One thing to try, if this is the case, is to issue 'commit transaction' commands to the db after the request is executed (providing you are using a transactional db, of course).
Anyway, just an idea.

Regards PAP
0
 
rajendra_rathodAuthor Commented:
Hi,
Actually it is nothing to do with database . We are generating tree of Entities and as soon as user selects perticular entity it will be locked so when other user tries to select same entity he get all of the details in read-only mode.To do this we need to store entity in application scope.

Regards,

Raj
0
 
cheekycjCommented:
corey: I am not sure about your comment. I know some servlet engines re-use/recycle JSESSION ID.. so if that is the case then its not gaurunteed that you will have a new session when you close the old browser and open a new one.  Unless you make sure that JSESSION ID is a session only cookie.

CJ
0
 
cheekycjCommented:
>soon as user selects perticular entity it will be locked

for how long?  As long as they have their window open/session alive or are there other factors?
0
 
Atdhe NuhiuCommented:
>But how do you set the session timeout value in JSP?

>via your web.xml file. .it is valid for the entir web app, including servlets and JSPs.

Also programmaticaly with setMaxInactiveInterval(), a method of javax.servlet.http.HttpSession.

0
 
MoondancerCommented:
ADMINISTRATION WILL BE CONTACTING YOU SHORTLY.  Moderators Computer101 or Netminder will return to finalize these if they are still open in 14 days.  Experts, please post closing recommendations before that time.

Below are your open questions as of today.  Questions which have been inactive for 21 days or longer are considered to be abandoned and for those, your options are:
1. Accept a Comment As Answer (use the button next to the Expert's name).
2. Close the question if the information was not useful to you, but may help others. You must tell the participants why you wish to do this, and allow for Expert response.  This choice will include a refund to you, and will move this question to our PAQ (Previously Asked Question) database.  If you found information outside this question thread, please add it.
3. Ask Community Support to help split points between participating experts, or just comment here with details and we'll respond with the process.
4. Delete the question (if it has no potential value for others).
   --> Post comments for expert of your intention to delete and why
   --> YOU CANNOT DELETE A QUESTION with comments; special handling by a Moderator is required.

For special handling needs, please post a zero point question in the link below and include the URL (question QID/link) that it regards with details.
http://www.experts-exchange.com/jsp/qList.jsp?ta=commspt
 
Please click this link for Help Desk, Guidelines/Member Agreement and the Question/Answer process.  http://www.experts-exchange.com/jsp/cmtyHelpDesk.jsp

Click you Member Profile to view your question history and please keep them updated. If you are a KnowledgePro user, use the Power Search option to find them.  

Questions which are LOCKED with a Proposed Answer but do not help you, should be rejected with comments added.  When you grade the question less than an A, please comment as to why.  This helps all involved, as well as others who may access this item in the future.  PLEASE DO NOT AWARD POINTS TO ME.

To view your open questions, please click the following link(s) and keep them all current with updates.
http://www.experts-exchange.com/questions/Q.20085334.html
http://www.experts-exchange.com/questions/Q.20097573.html
http://www.experts-exchange.com/questions/Q.20118335.html
http://www.experts-exchange.com/questions/Q.20121382.html
http://www.experts-exchange.com/questions/Q.20138443.html
http://www.experts-exchange.com/questions/Q.20165175.html
http://www.experts-exchange.com/questions/Q.20182803.html
http://www.experts-exchange.com/questions/Q.20269918.html
http://www.experts-exchange.com/questions/Q.20286564.html
http://www.experts-exchange.com/questions/Q.20287064.html
http://www.experts-exchange.com/questions/Q.20286574.html
http://www.experts-exchange.com/questions/Q.20293622.html
http://www.experts-exchange.com/questions/Q.20293617.html



*****  E X P E R T S    P L E A S E  ******  Leave your closing recommendations.
If you are interested in the cleanup effort, please click this link
http://www.experts-exchange.com/jsp/qManageQuestion.jsp?ta=commspt&qid=20274643 
POINTS FOR EXPERTS awaiting comments are listed in the link below
http://www.experts-exchange.com/commspt/Q.20277028.html
 
Moderators will finalize this question if in @14 days Asker has not responded.  This will be moved to the PAQ (Previously Asked Questions) at zero points, deleted or awarded.
 
Thanks everyone.
Moondancer
Moderator @ Experts Exchange
0
 
cheekycjCommented:
great input from various experts.. 20 pts is too few to split btw the deserving experts so I would recommend a PAQ.

CJ
0
 
MoondancerCommented:
Good point, CJ, especially since "easy" questions begin at 50 points and rajendra_rathod posted at only 20 points.

Let us give this a few days and see if Asker is willing to increase this and award points to all who helped.

Moondancer - EE Moderator
0
 
knightEknightCommented:
only a B on a 20 pt question ... I'll remember that next time I see a question from him.
0
 
MoondancerCommented:
Since I did request comments if the grade was less than an "A", and received none, can only assume (based on the information given here) that the "B" was chosen in error and corrected it.
Thanks,
Moondancer - EE Moderator
0
 
cheekycjCommented:
Thank you Moondancer.

CJ
0
 
MoondancerCommented:
:)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 13
  • 7
  • 4
  • +5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now