4

I need to end the session automatically when the user is inactive for some particular time say for 10 minutes. We have a method in 

HttpSession session=request.getSession();
session.setAttribute("User", au);
session.setAttribute("name", firstname);
response.sendRedirect("doLogin.jsp");
session.setMaxInterval();

but this will end the session even if the user is active for 10 minutes. How can I end the session when the user closes the browser?

ROMANIA_engineer
  • 54,432
  • 29
  • 203
  • 199
  • User is active but session ends anyway? Looks like a bug. What Server do you use? – Grim Apr 29 '13 at 06:15
  • The session can't end when the browser has been closed. There must be a triggerd Request that has been send when the browser close. – Grim Apr 29 '13 at 06:16
  • @PeterRader please tell me how to do so –  Apr 29 '13 at 06:21

6 Answers6

13

Avoid manual code for that.

simply in web.xml //this will applied for whole application 

<session-config>
<session-timeout>10</session-timeout>
</session-config>

Detect browser close event and call invalidate method

if(session!=null) { 
session.invalidate();   
}
Suresh Atta
  • 120,458
  • 37
  • 198
  • 307
  • i know this but my question is how to close the session when browser is closed –  Apr 29 '13 at 06:23
  • http://stackoverflow.com/questions/6622461/how-to-capture-browser-close-event-in-javascript – Suresh Atta Apr 29 '13 at 06:30
  • thanks for the answer. Well i have last requirement the way i did now accepts multiple login at the same time using a same username and password.for example username x can login at the same time from mozilla,chrome and etc. But i do not want this way suppose if username x login from mozillla and later he logins from chrome the in mozilla it will get loged out automatically.please tell me how to do this –  Apr 29 '13 at 06:58
  • you can go through :http://www.xyzws.com/Servletfaq/when-do-i-use-httpsessionbindinglistener/6 – Suresh Atta Apr 29 '13 at 07:03
  • You got it?? let me know if you need any furthur clarrifications. – Suresh Atta Apr 29 '13 at 07:09
  • thanks for replying i went through the sites you have suggested but i could not get how to implement it –  Apr 29 '13 at 07:13
  • yeah.thats quite tricky..when you are rediricting your user to dashboard or what ever after login..just before that bind the user name or user object to that session then you will get a call in onvalue bound and maintain a map with session and user ..from next time onwords check that map.dont forget to remove him when logout.and you can google it for full fledged example.good luck – Suresh Atta Apr 29 '13 at 07:17
  • @Baadshah Making references to roseindia here can cause you some trouble. – skuntsel Apr 29 '13 at 07:18
  • Oops.. let me delete it. thanks for the help.I don't know that @skuntsel – Suresh Atta Apr 29 '13 at 07:19
  • @Baadshah see after login it is going to dologin.jsp where it matches with the username and password and if it is true then i am setting attribute here.how will i check if multiple persons are trying to login from one username –  Apr 29 '13 at 07:28
6

You can set the session time out as below in the ServletContextListener:

session.setMaxInactiveInterval(15*60); //in seconds

This will give you the advantage that you can read the session timeout from any external properties file/ database and change the session timeout without changing the code.

You can use the unload event and send the logout request to the server. Or keep sending periodic requests to the server informing the user is still active.

Apurv
  • 3,723
  • 3
  • 30
  • 51
2

You need to set the session timeout, that is, the time after which current Session object will be invalidated.

This can be done either by setting timeout in your web.xml like:

<session-config>
    <session-timeout>20</session-timeout>
</session-config>

or programmatically call on the Session object

session.setMaxInactiveInterval(valueInSeconds);

Keep an eye that session timeout period set up in web.xml is in minutes, and programmatically - in seconds.

skuntsel
  • 11,624
  • 11
  • 44
  • 67
  • 1
    thanks for answering but i know this i wanted to end the session when user closes the browser –  Apr 29 '13 at 06:09
  • You should capture browser close event in javascript and logout the user. Find a Q/A [how to capture brower close event](http://stackoverflow.com/questions/6622461/how-to-capture-browser-close-event-in-javascript) – Subhrajyoti Majumder Apr 29 '13 at 06:10
  • Exactly, and call logout servlet from the JavaScript event. – skuntsel Apr 29 '13 at 06:14
2

There is no way to intimate the server about the user closes the browser. That's why the sessions are having configurable timespan. If you wanna do it then try by creating a onclose javascript event and from there do an ajax call to intimate the session close to the server. In the server you can get the session id from this call as parameter and kill it.

I didn't tried it. Don't think it is right to do.

Kirubhananth Chellam
  • 72
  • 3
0

Question: How to end sessions automatically if user closes the browser?
Answer: Set max inactive interval time value less than 0.

Example:

HttpSession session = request.getSession();
session.setMaxInactiveInterval(-1);
session.setAttribute("User", au);
response.sendRedirect("doLogin.jsp");
alkathirikhalid
  • 887
  • 12
  • 18
-1

You can do that from web config file. A sample is here

 <sessionState 
        mode="InProc" 
        stateConnectionString="tcpip=127.0.0.1:42424" 
        stateNetworkTimeout="10" 
        sqlConnectionString="data source=127.0.0.1;Integrated Security=SSPI" 
        sqlCommandTimeout="30" 
        customProvider="" 
        cookieless="UseCookies" 
        cookieName="ASP.NET_SessionId" 
        timeout="10" 
        allowCustomSqlDatabase="false" 
        regenerateExpiredSessionId="true" 
        partitionResolverType="" 
        useHostingIdentity="true">
        <providers>
         <clear />
        </providers>
   </sessionState>

The timeout property will specify the timeout period.

Kirubhananth Chellam
  • 72
  • 3