Link to home
Start Free TrialLog in
Avatar of gayuk
gayuk

asked on

Does calling session.invalidate() cause the session object to expire?

I am developing an application which i don't want to expire. So i set setMaxInactiveInterval(-1) and this seems to work. When the user quits, i call a session.invalidate() function. However the servlet container seems to keep that object forever even after i restart the computer (!). I am using ServletExec 4.1.1 and in the sessions page i always see some session objects for the application i have set the -1 value to..
Avatar of kennethxu
kennethxu

if user close browser without logout, those session object will never be clearn up.

it is not practical to use never expire.

if you dont't want user to timeout, you set expire 30 minutes and use a hidden frame to refresh a dummy page every 25 minutes. that will keep user in but if user close browser, session will be cleared after half hour.
Avatar of gayuk

ASKER

how can a user logout?..
Can you give me an example code?
Thanks
or you can force to make the cookie that is used to be session only :-)

CJ
>> how can a user logout?..
when user hit logout button (or quite, exit, whatever you mane it), a logout page receives the request and do session.invalidate(), that's the way to logout. you are correct.
BUT, if user didn't hit logout button and close the browser, your server will never know that, so the session.invalidate will never be called.
So setting your application to never expire is wrong. do you understand me?
The server identifies session by a JSESSIONID value that is usually set as a cookie.

If you can change that cookie to be a session only cookie then when they close the browser then that cookie will be deleted and when they open the browser again, they should be assigned a new JSESSIONID and get a new session.

CJ
>> and when they open the browser again, they should be assigned a new JSESSIONID and get a new session.
that's correct, but the old session object will still exist in server memory and never been cleaned up.
and that's the qayuk's problem, he/she sees active sessions after all users get off.
>> If you can change that cookie to be a session only cookie
by default, JSESSIONID is session only cookie.
active sessions will eventually expire.. that shouldn't be an issue (IMHO) as long as the user doesn't remain logged in .. why does it matter?

If there are that many active sessions then decrease the session timeout :-)

CJ
Avatar of gayuk

ASKER

I am calling the session.invalidate() when the browser closes..

Inspite of that the session object seems to exist in memory. I understand that garbage collection will not be done as soon as the session is invalidated, but i would expect it to be done atleast after i restart the machine. I have a workaround whereby on closing the browser i reset the InactiveInterval to a small number and this cleans up the session objects..

going back to my original question then.. session.invalidate() does not allow the session object to be cleared out by the servlet container?. I would have thought that it would

(oh and she by the way)
Avatar of gayuk

ASKER

I am calling the session.invalidate() when the browser closes..

Inspite of that the session object seems to exist in memory. I understand that garbage collection will not be done as soon as the session is invalidated, but i would expect it to be done atleast after i restart the machine. I have a workaround whereby on closing the browser i reset the InactiveInterval to a small number and this cleans up the session objects..

going back to my original question then.. session.invalidate() does not allow the session object to be cleared out by the servlet container?. I would have thought that it would

(oh and she by the way)
>> active sessions will eventually expire..
gayuk said in his question that he set it never expire. that't way I told him, he shouldn't do this.
>> (oh and she by the way)
I'm sorry :)


>> I am calling the session.invalidate() when the browser closes..
how do you determine the borwser close? when use just close browser windows?

according to the specification, session.invalidate()
Invalidates this session then unbinds any objects bound to it.

>> but i would expect it to be done atleast after i restart the machine.
then your server has session persistance enabled.
Avatar of gayuk

ASKER

>>how do you determine the borwser close? when use just close browser windows?

yes, i call the onunload event and open up another page..


You are right.. it did have persistence enabled..
(At the risk of making this a Session Tutorial) if persistance is enabled, does that mean the session object will not get destroyed even after invalidation?

Thanks
Avatar of gayuk

ASKER

>>how do you determine the borwser close? when use just close browser windows?

yes, i call the onunload event and open up another page..


You are right.. it did have persistence enabled..
(At the risk of making this a Session Tutorial) if persistance is enabled, does that mean the session object will not get destroyed even after invalidation?

Thanks
Avatar of gayuk

ASKER

>>how do you determine the borwser close? when use just close browser windows?

yes, i call the onunload event and open up another page..


You are right.. it did have persistence enabled..
(At the risk of making this a Session Tutorial) if persistance is enabled, does that mean the session object will not get destroyed even after invalidation?

Thanks
Avatar of gayuk

ASKER

>>how do you determine the borwser close? when use just close browser windows?

yes, i call the onunload event and open up another page..


You are right.. it did have persistence enabled..
(At the risk of making this a Session Tutorial) if persistance is enabled, does that mean the session object will not get destroyed even after invalidation?

Thanks
onunload is not reliable.  It is not gaurunteed to be fired.

CJ
ASKER CERTIFIED SOLUTION
Avatar of kennethxu
kennethxu

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of gayuk

ASKER

Would like to thank cheekcyi as well