Hi,
there is an alternative to the Javascript onUnload
? I use JSP Jakarta Struts framework with a Servlets.
I must know, when is window closing, because not everyone clicks on Logout button.
How do you handle it in your applications?
Hi,
there is an alternative to the Javascript onUnload
? I use JSP Jakarta Struts framework with a Servlets.
I must know, when is window closing, because not everyone clicks on Logout button.
How do you handle it in your applications?
You should be aware that Opera does not execute onUnload as you would suspect. And you should not rely on javascript to see if users close windows.
Generally speaking, it's impossible to determine conclusively whether a visitor is still "using" (or even looking at) your page. Once the browser has downloaded the page, it's no longer in contact with the server at all, so the page could stay open for a few seconds or a few years and the server would have no idea.
The unload
event is certainly a helpful clue, since it usually fires when the page is unloaded. It's not at all reliable, however. There are plenty of situations where it won't fire, and plenty more where even though it does fire your server will remain unaware of it.
For example: the browser (or even the operating system) could crash, or the power could go out. A visitor using Wi-Fi could get disconnected, or could carry her iPhone into a tunnel while using your site.
The standard workaround for this — which we all readily admit is terrible — is to let the visitor's session timeout. Even on high-stakes banking websites, you'll find that if you walk away from your computer for four minutes and come back you still have access, but if you walk away for five you're locked out.
This setup certainly finds a lot of false positives: cases where a visitor was still using your page without interacting with it, and therefore is inconvenienced by the timeout. It also allows false negatives: cases where the real visitor has walked away, and a malicious user takes over within the timeout period.
The only major addition to this scheme we've seen lately is exploitation of JavaScript to visibly log the user out after the timeout period. Again, we see this on banking websites: leave the page open for too long and when you come back all you'll see is a login screen. (Of course, this too depends on JavaScript and so is still fallible.)
Unfortunately, since HTTP is a stateless protocol, we'll never be able to know for sure what's going on in the browser (especially if JavaScript is off), so cheap workarounds are really all we can use.
I rely on the servlet session timeout to handle the logout automatically. You can register a handler for when the session times out to cover any credential cleanup you need to do. A good example is given here:
http://www.xyzws.com/Servletfaq/when-do-i-use-httpsessionlistener/7
There is no guarantee from the client side that the user will always confirm that they have finished using your site.