4

I have an implementation of javax.servlet.http.HttpSessionListener that is supposed to detect user session invalidation/timeout in a Struts project.

The sessionDestroyed() never seems to be getting called, I can reproduce this by deleting my JSESSIONID and refreshing the page. I also find that leaving the browser open until the session times out has the same effect.

The site is running in JBoss 4.2.3.GA with Java 1.5.

I'm starting to suspect that HttpSessionListener does not do what I expect it to, am I missing something?

Edit :

My listener is registered in my web.xml as follows:

<listener>
    <listener-class>com.domain.web.listener.LogoutListener</listener-class>
</listener>
seanhodges
  • 17,426
  • 15
  • 71
  • 93
  • Have you configured the listener in web.xml? – Suresh Kumar Mar 22 '11 at 11:12
  • @Suresh yes, my listener is configured in the web.xml; will update my question – seanhodges Mar 22 '11 at 11:53
  • I have got the same problem with Tomcat and Java 1.7: 'sessionDestroyed' is not always invoked after session timeout while browser is opened. – Andremoniy Jan 15 '14 at 08:43
  • @Andremoniy If the browser is open and displaying a site page then it may be sending requests via plugins (like Firebug) which will keep the session alive. Remember also that sessionDestroyed is only invoked when the session data has been destroyed on the server, which is not necessarily the same point that the user has lost access to it. – seanhodges Jan 17 '14 at 11:51

2 Answers2

6

The sessionDestroyed() method is not called until the web container expires the session. The server doesn't know you deleted the JSESSIONID cookie, your browser just looks like another new session.

From what I've seen with Tomcat, and I believe it's up to each web container implementation, session expirations happens every minute. So even after the session times out there could be a delay until the next detection of expirations.

It should definitely happen eventually though. Especially if you set the timeout to a minute and wait a few minutes. Note the timeout is specified in minutes, so one minute is the minimum to test with. I assume you have your listener registered in your web.xml file?

WhiteFang34
  • 70,765
  • 18
  • 106
  • 111
  • That makes sense, I'll try adjusting the session timeout in JBoss to see if I just haven't been waiting long enough. – seanhodges Mar 22 '11 at 11:59
-2

you need to register listener in web.xml under WEB-INF in your application. your listener class name

xiaqingjue
  • 1