Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 227
  • Last Modified:

Does calling session.invalidate() cause the session object to expire?

I am developing an application which i don't want to expire. So i set setMaxInactiveInterval(-1) and this seems to work. When the user quits, i call a session.invalidate() function. However the servlet container seems to keep that object forever even after i restart the computer (!). I am using ServletExec 4.1.1 and in the sessions page i always see some session objects for the application i have set the -1 value to..
0
gayuk
Asked:
gayuk
  • 8
  • 8
  • 4
1 Solution
 
kennethxuCommented:
if user close browser without logout, those session object will never be clearn up.

it is not practical to use never expire.

if you dont't want user to timeout, you set expire 30 minutes and use a hidden frame to refresh a dummy page every 25 minutes. that will keep user in but if user close browser, session will be cleared after half hour.
0
 
gayukAuthor Commented:
how can a user logout?..
Can you give me an example code?
Thanks
0
 
cheekycjCommented:
or you can force to make the cookie that is used to be session only :-)

CJ
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
kennethxuCommented:
>> how can a user logout?..
when user hit logout button (or quite, exit, whatever you mane it), a logout page receives the request and do session.invalidate(), that's the way to logout. you are correct.
BUT, if user didn't hit logout button and close the browser, your server will never know that, so the session.invalidate will never be called.
So setting your application to never expire is wrong. do you understand me?
0
 
cheekycjCommented:
The server identifies session by a JSESSIONID value that is usually set as a cookie.

If you can change that cookie to be a session only cookie then when they close the browser then that cookie will be deleted and when they open the browser again, they should be assigned a new JSESSIONID and get a new session.

CJ
0
 
kennethxuCommented:
>> and when they open the browser again, they should be assigned a new JSESSIONID and get a new session.
that's correct, but the old session object will still exist in server memory and never been cleaned up.
0
 
kennethxuCommented:
and that's the qayuk's problem, he/she sees active sessions after all users get off.
0
 
kennethxuCommented:
>> If you can change that cookie to be a session only cookie
by default, JSESSIONID is session only cookie.
0
 
cheekycjCommented:
active sessions will eventually expire.. that shouldn't be an issue (IMHO) as long as the user doesn't remain logged in .. why does it matter?

If there are that many active sessions then decrease the session timeout :-)

CJ
0
 
gayukAuthor Commented:
I am calling the session.invalidate() when the browser closes..

Inspite of that the session object seems to exist in memory. I understand that garbage collection will not be done as soon as the session is invalidated, but i would expect it to be done atleast after i restart the machine. I have a workaround whereby on closing the browser i reset the InactiveInterval to a small number and this cleans up the session objects..

going back to my original question then.. session.invalidate() does not allow the session object to be cleared out by the servlet container?. I would have thought that it would

(oh and she by the way)
0
 
gayukAuthor Commented:
I am calling the session.invalidate() when the browser closes..

Inspite of that the session object seems to exist in memory. I understand that garbage collection will not be done as soon as the session is invalidated, but i would expect it to be done atleast after i restart the machine. I have a workaround whereby on closing the browser i reset the InactiveInterval to a small number and this cleans up the session objects..

going back to my original question then.. session.invalidate() does not allow the session object to be cleared out by the servlet container?. I would have thought that it would

(oh and she by the way)
0
 
kennethxuCommented:
>> active sessions will eventually expire..
gayuk said in his question that he set it never expire. that't way I told him, he shouldn't do this.
0
 
kennethxuCommented:
>> (oh and she by the way)
I'm sorry :)


>> I am calling the session.invalidate() when the browser closes..
how do you determine the borwser close? when use just close browser windows?

according to the specification, session.invalidate()
Invalidates this session then unbinds any objects bound to it.

>> but i would expect it to be done atleast after i restart the machine.
then your server has session persistance enabled.
0
 
gayukAuthor Commented:
>>how do you determine the borwser close? when use just close browser windows?

yes, i call the onunload event and open up another page..


You are right.. it did have persistence enabled..
(At the risk of making this a Session Tutorial) if persistance is enabled, does that mean the session object will not get destroyed even after invalidation?

Thanks
0
 
gayukAuthor Commented:
>>how do you determine the borwser close? when use just close browser windows?

yes, i call the onunload event and open up another page..


You are right.. it did have persistence enabled..
(At the risk of making this a Session Tutorial) if persistance is enabled, does that mean the session object will not get destroyed even after invalidation?

Thanks
0
 
gayukAuthor Commented:
>>how do you determine the borwser close? when use just close browser windows?

yes, i call the onunload event and open up another page..


You are right.. it did have persistence enabled..
(At the risk of making this a Session Tutorial) if persistance is enabled, does that mean the session object will not get destroyed even after invalidation?

Thanks
0
 
gayukAuthor Commented:
>>how do you determine the borwser close? when use just close browser windows?

yes, i call the onunload event and open up another page..


You are right.. it did have persistence enabled..
(At the risk of making this a Session Tutorial) if persistance is enabled, does that mean the session object will not get destroyed even after invalidation?

Thanks
0
 
cheekycjCommented:
onunload is not reliable.  It is not gaurunteed to be fired.

CJ
0
 
kennethxuCommented:
>> yes, i call the onunload event and open up another page..
As CJ said, it's not reliable. My experience on verious project is, again, you should not set session time to forever. and do you know that unload will be fired when you move to next page?

>> if persistance is enabled, does that mean the session object will not get destroyed even after invalidation?

NO. once you invalidate it, it will be destroyed sooner or later.

As I said before, there are some sessions that invalidate method had never been called. So you saw those sessions survive forever, because it never timeout.
0
 
gayukAuthor Commented:
Would like to thank cheekcyi as well
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 8
  • 8
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now