0

I wish to record the login and the logout timestamp for users.

I understand that as soon as a user hits the login page a new browser specific session is created & sessionCreated(HttpSessionEvent se) is executed. When the session is invalidated that session gets destroyed & the sessionDestroyed(HttpSessionEvent se) is executed. In this scenario recording the login and logout timestamps will work perfectly.

However, say, the user is logged in but closes the browser window. The next time when the browser is opened a new session id will be generated and the user needs to login again. Hence, the previous login-logout record for that user will be incomplete and a new record with the current session id will be inserted in the database.

How do I tackle this design issue? I read some answers where AJAX polling & JS onunload were discussed but those did not seem to be a reliable solution.

Also, on the other hand, is there a way to keep the session alive even on browser close?

Thanks in advance.

Nilashish C
  • 375
  • 2
  • 11
  • There is no reliable way to do this other than timeouts: Have something clean out the session after X hours. – Thilo Mar 08 '18 at 07:48
  • As for keeping the session alive even on browser close: You could store the session token in a persistent cookie (that the browser won't discard when it closes). – Thilo Mar 08 '18 at 07:49
  • Related: https://stackoverflow.com/questions/706224/javawhy-http-session-is-not-destroyed-when-tab-or-browser-is-closed?noredirect=1&lq=1 – Thilo Mar 08 '18 at 08:12
  • This is what I did. I created 2 attributes "logout-code" & "logged-in" within the `sessionCreated(HttpSessionEvent se)`. Set them to 0 and FALSE respectively. After authentication succeeds, I set the value of "logged-in" to TRUE and for normal logouts, I set the value of "logout-code" to 1. – Nilashish C Mar 08 '18 at 09:45
  • Inside `sessionDestroyed(HttpSessionEvent se)` I check the value of logged-in and logout-code. If logged-in is TRUE and logout-code is 1, it is a normal termination of session. If logged-in is TRUE and logout-code is 0, it is an abnormal one. Could you point out any flaws? – Nilashish C Mar 08 '18 at 09:46

1 Answers1

-1

Session can be kept recorded on users browser via Cookies. It basically allow use to re login to the system without having to authenticate itself. In this case you can store the bare minimum state information you need to restore when the client open the browser again.

But the session id's is definitely going to change.

Stephen Docy
  • 4,738
  • 7
  • 18
  • 31
Amit Agarwal
  • 1
  • 3
  • Why would the session id change when the cookie stays around? – Thilo Mar 08 '18 at 07:49
  • Hey Amit, thanks for the answer. But since cookies are client side components, would that be a sort of security flaw or design issue? – Nilashish C Mar 08 '18 at 07:50
  • Re: security flaw. You asked for the session to stay alive even when the browser is closed. Does this make the system less secure? Yes. Someone with access to the computer (and user account) can just pick up this session. – Thilo Mar 08 '18 at 07:52
  • Yes, that is the reason why I do not want to keep it alive after browser close. I wish to destroy a session as soon as the browser is closed. Any help with that? :) – Nilashish C Mar 08 '18 at 08:05
  • don't create a cookie at all. Once the browsing session id closed. the session would be destroyed. – Amit Agarwal Mar 08 '18 at 08:54