2009/10/12 Josh Gooding <josh.good...@gmail.com>: > If I close the browser window, and reopen it without clicking the logout > button, I can still get back into my active session. How would I invalidate > the session upon closing the browser window?
I'm surprised that happens if you shut down the browser *process* (that would delete the in-memory cookie for the session - try it), but not surprised if you close the *window*. Sessions are associated with a browser process, not a particular window - so you can have 10 windows open at once in the same browser, to the same site, and they will use the same session. This is a feature of HTTP, cannot be gotten round, and applications must either accept that constraint or break under some circumstances. For example, what happens if you do something in a logged-in session, open a new window on your app, hit your login page, log in as a different user, go back to the old window and try to make use of the page? Similarly, another feature of HTTP is that the browser does not have to maintain any contact at all with the server, and does not have to tell the server it's going away. There's also no event you can reliably catch in Javascript to detect that the window is closing (onclose comes close, but not all browsers implement it). Even a session timeout on the server merely means "I haven't seen a request within this period", not "the user has closed the window". I've seen people put code in a hidden iframe that polls the server every couple of minutes just to keep the session alive, and to use a short (say 5-minute) session timeout, but even that doesn't detect a closed window immediately. Again, this is a feature of HTTP, cannot be gotten round, and you just have to accept that perfectly valid sessions may hang around for some time after the user closes the particular window they're using to interact with your site. - Peter --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
