Java:Why http session is not destroyed when tab or browser is closed?

Question

I have the following implementation of HttpSessionlistener

public class SessionListener implements HttpSessionAttributeListener, HttpSessionListener {


publ         


        

Answer 1

there is some hacks for knows following code for destroy session when user closes browser

client side:

<script src="jquery path"></script>
<script>
  window.onunload = function(){ $.get("${request.contextPath}/logout"); }
</script>

server side: create request mapping for "/logout"

public void doGet(HttpServletRequest request, HttpServletResponse) {
  request.getSession().invalidate();
  System.out.println('destroy from logout on unload browser');
}

Following code is optional

use session listener when want to know when session destroyed

//    in class

import javax.servlet.*;
import javax.servlet.http.*;
public class SesListener implements HttpSessionListener {
  public void sessionCreated(HttpSessionEvent se) {
   System.out.println("Session created...");
  }

  public void sessionDestroyed(HttpSessionEvent se) {
    System.out.println("Session destroyed...");
  }
}

//-----------------------------------------

// in web.xml
<listener>
   <listener-class>SesListener</listener-class>
</listener>

Answer 2

NOTE: As jwenting commented below, this it's not 100% safe at all. If the the onunload event does not get triggered by a closing event of the browser tab or window, then this would fail.

I had the same problem, and solve it using an intrusive JavaScript event:

window.onunload

Let me briefly explain, lets say you have a JavaScript function that post, using jQuery, the current Session ID to that Servlet to invalidate it, like this:

function safeexit(){
   $.post("/SessionKillServlet", { SID = <%=session.getId()%> }, function(data){});
}

To call that function, you just need to bind it like these:

window.onunload =  safeexit;  //without the ()

Now, safeexit method will be called when the TAB or BROWSER WINDOW gets closed (or in a redirection).

Answer 3

you can just verify if your session user , aren't null like :

if (session.getAttribute("user") != null )
   sessionsetAttribute("user","null");

Answer 4

How would the server know when the browser is closed or the tab closed? At that point the browser doesn't send anything to the server.

This is a fundamental part of HTTP - it's a request/response protocol, not a "permanently open conversation" where you can tell if one party leaves the conversation. Think of it as a series of telegrams rather than a phone call - and you can't tell when you've received the last telegram you're going to get.

You'll need to design your way round this - to avoid needing to know when the browser has been closed. There are some ugly hacks to work around it - making AJAX poll the server with a heartbeat message, for example - but changing the design is a better solution.

Answer 5

If you need the session to be destroyed when a browser window/tab is closed you might attach a JavaScript handler to the onunload event that makes some sort of AJAX call to a resource that call kill the session.

Note that the onunload event does not always fire so it's not totally trustworthy. One trusty way might be to use a "heartbeat" system.

Answer 6

With out a lot of work the browser does not inform the server that the window is closed, therefore Java can not know when to destroy the session. Hence the time out is in place and is the first the server knows that this session can be distroyed.

You could try and play an ajax call on the javascript event document.onunload https://developer.mozilla.org/en/DOM/window.onunload but you will need to be sure that the user is not still within your site when you do this.