Invalidate a session

I have a jsp servlet based application, with session time out of 30 mins, I want to invalidate the session as soon as a person closes the browser window intentionally or accidentally (OS shutdown/close from tast manager/powerdown)

Can I put a check for that and inv开发者_Go百科alidate the session?

It is not possible to handle this scenario .

There are some browsers which provide this setting as their preference , but you can't handle this programitically.

At max:

You can make a poll from page(may be header) same as gtalk in gmail as soon as connection closes wipe that session out.

1. Why do you want to do that, you have already configured that in server that ,session should stay idle for 30 mins,after that it will expire in server.

2. if you want to do that use the following javascript or jquery(better for cross browser) , when the browse close event happens send an ajax request to invalidate session by running following code in jsp (request.getSession(false).setMaxInactiveInteral(0);)

   From javascript

   <body onbeforeunload="doAjaxCall();">
   
       (or)
   
   jQuery(window).bind("beforeunload", function(){
   
   // Do ajax request and dont wait for the response.
   
   });
   

3. You can implement the server push ajax polling , for example think that session is going to expire in another 2 seconds , send a server side request to client to invalidate the cookie and also in the server you can invalidate the session.

if ( (getcurrentTime() - session.getCreationTime()) > 2000 ) {
}

1. While the page is rendered , get the maxinactiveinterval and then set the value to the JavaScript variable , then use setInterval function , pass the inactiveinterval value to function , once the timeout happens you can set the cookie to expire.

No I don't believe you can do that as there are no hooks available in the browser to get it to send a disconnect notification (of some sort) when it closes and I don't think there is a server-side mechanism to interrogate recent sessions to test their connection status.

If you are using tomcat 5.0/5.5/6.0 container, the cookie generated by tomcat session manager to track the session (JSESSIONID) is a per-session cookie (browser memory only cookie) instead of a persistent cookie (write to disk). That's because the session manager does (hardcoded) setMaxAge(-1), so that the generated HTTP-response contains: Set-Cookie: JSESSIONID=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX; Path=/ and no Expire=date.

So when the browser is closed (all browser windows, or just the window containing the cookie, depending on the variuos browser implementations), the cookie - and the session - are lost. [*]

This has nothing to do with <session-timeout>, which is a setting that tells the tomcat server-side session manager to expire sessions when idle for more time than specified.

[*] they will still be persisted on disk on the server-side, till session-timeout expires, but there wont be a request with a cookie activating them.