?
Solved

Does calling session.invalidate() cause the session object to expire?

Posted on 2003-03-27
20
Medium Priority
?
212 Views
Last Modified: 2010-04-01
I am developing an application which i don't want to expire. So i set setMaxInactiveInterval(-1) and this seems to work. When the user quits, i call a session.invalidate() function. However the servlet container seems to keep that object forever even after i restart the computer (!). I am using ServletExec 4.1.1 and in the sessions page i always see some session objects for the application i have set the -1 value to..
0
Comment
Question by:gayuk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 8
  • 4
20 Comments
 
LVL 14

Expert Comment

by:kennethxu
ID: 8222162
if user close browser without logout, those session object will never be clearn up.

it is not practical to use never expire.

if you dont't want user to timeout, you set expire 30 minutes and use a hidden frame to refresh a dummy page every 25 minutes. that will keep user in but if user close browser, session will be cleared after half hour.
0
 

Author Comment

by:gayuk
ID: 8222862
how can a user logout?..
Can you give me an example code?
Thanks
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 8224342
or you can force to make the cookie that is used to be session only :-)

CJ
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 14

Expert Comment

by:kennethxu
ID: 8225402
>> how can a user logout?..
when user hit logout button (or quite, exit, whatever you mane it), a logout page receives the request and do session.invalidate(), that's the way to logout. you are correct.
BUT, if user didn't hit logout button and close the browser, your server will never know that, so the session.invalidate will never be called.
So setting your application to never expire is wrong. do you understand me?
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 8225423
The server identifies session by a JSESSIONID value that is usually set as a cookie.

If you can change that cookie to be a session only cookie then when they close the browser then that cookie will be deleted and when they open the browser again, they should be assigned a new JSESSIONID and get a new session.

CJ
0
 
LVL 14

Expert Comment

by:kennethxu
ID: 8225840
>> and when they open the browser again, they should be assigned a new JSESSIONID and get a new session.
that's correct, but the old session object will still exist in server memory and never been cleaned up.
0
 
LVL 14

Expert Comment

by:kennethxu
ID: 8225850
and that's the qayuk's problem, he/she sees active sessions after all users get off.
0
 
LVL 14

Expert Comment

by:kennethxu
ID: 8225855
>> If you can change that cookie to be a session only cookie
by default, JSESSIONID is session only cookie.
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 8225875
active sessions will eventually expire.. that shouldn't be an issue (IMHO) as long as the user doesn't remain logged in .. why does it matter?

If there are that many active sessions then decrease the session timeout :-)

CJ
0
 

Author Comment

by:gayuk
ID: 8226032
I am calling the session.invalidate() when the browser closes..

Inspite of that the session object seems to exist in memory. I understand that garbage collection will not be done as soon as the session is invalidated, but i would expect it to be done atleast after i restart the machine. I have a workaround whereby on closing the browser i reset the InactiveInterval to a small number and this cleans up the session objects..

going back to my original question then.. session.invalidate() does not allow the session object to be cleared out by the servlet container?. I would have thought that it would

(oh and she by the way)
0
 

Author Comment

by:gayuk
ID: 8226279
I am calling the session.invalidate() when the browser closes..

Inspite of that the session object seems to exist in memory. I understand that garbage collection will not be done as soon as the session is invalidated, but i would expect it to be done atleast after i restart the machine. I have a workaround whereby on closing the browser i reset the InactiveInterval to a small number and this cleans up the session objects..

going back to my original question then.. session.invalidate() does not allow the session object to be cleared out by the servlet container?. I would have thought that it would

(oh and she by the way)
0
 
LVL 14

Expert Comment

by:kennethxu
ID: 8226392
>> active sessions will eventually expire..
gayuk said in his question that he set it never expire. that't way I told him, he shouldn't do this.
0
 
LVL 14

Expert Comment

by:kennethxu
ID: 8226504
>> (oh and she by the way)
I'm sorry :)


>> I am calling the session.invalidate() when the browser closes..
how do you determine the borwser close? when use just close browser windows?

according to the specification, session.invalidate()
Invalidates this session then unbinds any objects bound to it.

>> but i would expect it to be done atleast after i restart the machine.
then your server has session persistance enabled.
0
 

Author Comment

by:gayuk
ID: 8227124
>>how do you determine the borwser close? when use just close browser windows?

yes, i call the onunload event and open up another page..


You are right.. it did have persistence enabled..
(At the risk of making this a Session Tutorial) if persistance is enabled, does that mean the session object will not get destroyed even after invalidation?

Thanks
0
 

Author Comment

by:gayuk
ID: 8227267
>>how do you determine the borwser close? when use just close browser windows?

yes, i call the onunload event and open up another page..


You are right.. it did have persistence enabled..
(At the risk of making this a Session Tutorial) if persistance is enabled, does that mean the session object will not get destroyed even after invalidation?

Thanks
0
 

Author Comment

by:gayuk
ID: 8227356
>>how do you determine the borwser close? when use just close browser windows?

yes, i call the onunload event and open up another page..


You are right.. it did have persistence enabled..
(At the risk of making this a Session Tutorial) if persistance is enabled, does that mean the session object will not get destroyed even after invalidation?

Thanks
0
 

Author Comment

by:gayuk
ID: 8227992
>>how do you determine the borwser close? when use just close browser windows?

yes, i call the onunload event and open up another page..


You are right.. it did have persistence enabled..
(At the risk of making this a Session Tutorial) if persistance is enabled, does that mean the session object will not get destroyed even after invalidation?

Thanks
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 8228031
onunload is not reliable.  It is not gaurunteed to be fired.

CJ
0
 
LVL 14

Accepted Solution

by:
kennethxu earned 60 total points
ID: 8228380
>> yes, i call the onunload event and open up another page..
As CJ said, it's not reliable. My experience on verious project is, again, you should not set session time to forever. and do you know that unload will be fired when you move to next page?

>> if persistance is enabled, does that mean the session object will not get destroyed even after invalidation?

NO. once you invalidate it, it will be destroyed sooner or later.

As I said before, there are some sessions that invalidate method had never been called. So you saw those sessions survive forever, because it never timeout.
0
 

Author Comment

by:gayuk
ID: 8246070
Would like to thank cheekcyi as well
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a fine trick which I've found useful many times, when you just don't want to accidentally run a batch script or the commands needs administrator rights.
Check out the latest tech news, community articles, and expert highlights in August's newsletter.
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses
Course of the Month12 days, 1 hour left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question