Java:Why http session is not destroyed when tab or browser is closed ?

Question

Hello, I have the following implementation of HttpSessionlistener

public class SessionListener implements HttpSessionAttributeListener, HttpSessionListener {


public void attributeAdded(HttpSessionBindingEvent event) {
   ...

}


public void attributeRemoved(HttpSessionBindingEvent event) {

    ...
}

public void attributeReplaced(HttpSessionBindingEvent event) {

}

//HttpSesion creation & destruction
public void sessionCreated(HttpSessionEvent event) {
    HttpSession session = event.getSession();
    //log created time


}

public void sessionDestroyed(HttpSessionEvent event) {
    HttpSession session = event.getSession();
    long destroyedTime = System.currentTimeMillis();
    //log destroyed time

}

}

Basically i log the session creation and destruction time. But if the session is long (default to 30 minutes), and user closes browser meanwhile, the

sessionDestroyed

is not called ?

Why is that ? Is there a workaround to log exactly the when the session was destroyed (when user closes the browser)? Should'nt be this be the browser's problem, to kill the session when it is closed ?

Is there any interface that i have to implement for this to work ?

Thank you !

Answer 1

With out a lot of work the browser does not inform the server that the window is closed, therefore Java can not know when to destroy the session. Hence the time out is in place and is the first the server knows that this session can be distroyed.

You could try and play an ajax call on the javascript event document.onunload https://developer.mozilla.org/en/DOM/window.onunload but you will need to be sure that the user is not still within your site when you do this.

Answer 2

How would the server know when the browser is closed or the tab closed? At that point the browser doesn't send anything to the server.

This is a fundamental part of HTTP - it's a request/response protocol, not a "permanently open conversation" where you can tell if one party leaves the conversation. Think of it as a series of telegrams rather than a phone call - and you can't tell when you've received the last telegram you're going to get.

You'll need to design your way round this - to avoid needing to know when the browser has been closed. There are some ugly hacks to work around it - making AJAX poll the server with a heartbeat message, for example - but changing the design is a better solution.

Answer 3

Session objects live in the server and are controlled by the server. Only the server can create or destroy sessions. So if the client is closed the session lives until it expires. The client can only suggest to the server that it can destroy some session. This request must be explicit somehow. Hence, when you close a browser window, there's no implicit request to the server informing that it must destroy a given session.

Answer 4

If you need the session to be destroyed when a browser window/tab is closed you might attach a JavaScript handler to the onunload event that makes some sort of AJAX call to a resource that call kill the session.

Note that the onunload event does not always fire so it's not totally trustworthy. One trusty way might be to use a "heartbeat" system.

Answer 5

As Eric mentioned the unload event on the browser can call a javascript function, which in turn can access an url through a servlet that logs you out. You need not wait for the actual response from the servlet.

The web browser interacts with the server through the http protocol and that is stateless.

Answer 6

I had the same problem, and solve it using an intrusive JavaScript event:

window.onunload

Let me briefly explain, lets say you have a JavaScript function that post, using jQuery, the current Session ID to that Servlet to invalidate it, like this:

function safeexit(){
   $.post("/SessionKillServlet", { SID = <%=session.getId()%> }, function(data){});
}

To call that function, you just need to bind it like these:

window.onunload =  safeexit;  //without the ()

Now, safeexit method will be called when the TAB or BROWSER WINDOW gets closed (or in a redirection).

Answer 7

This question is more to "ramayac". Can you please give the code for "SessionKillServlet", that would be more helpful