Does session end when user closes browser?

Report · Oct 15, 2007

I need some clarification on the topic of sessions ending upon closing of a browser. Here's my situation: I have a web-based terminal emulator to gain access to the mainframe application. From this web-based emulator, I am invoking a web application. Once I do this, I have two separate windows open (two separate sessions?). Once I close my web application (but keep open the web-based terminal emulator), I am assuming that the session ends for that application. I find that this is not true because if I go into it about an hour later, I automatically get timed out (timeout in my application is 15 minutes). I read in documentation that if the J2EE Session Variables check box is checked that the session variables will expire whenever the user closes their browser, or when the session timeout period elapes (whichever comes first).

My question is: do I have to have all browser sessions closed to expire my session variables? If so, that would be the reason why I am still timing out once I go back into an application that's been closed for a while. Can someone confirm this? Any help would be greatly appreciated. Thanks!

Report · Oct 15, 2007

"I read in documentation that if the J2EE Session Variables check box
is checked that the session variables will expire whenever the user
closes their browser, or when the session timeout period elapes
(whichever comes first)."

No this is not quite the way it works. The session only expires on the
server after the defined timeout. The server has no knowledge you have
closed your browser. Browsers do not send notifications to all the
websites that you have visited telling them you are closing it. There
are some JavaScript solutions that attempt to mitigate this, but I don't
find them all that reliable.

What happens, is that the cookie values that define which session a user
belongs to is discarded by the browser. Thus if a user connects to your
website again, it does not have these cookies to send so a new session
is created. But the old one could easily still exist.

To expand on this, since HTTP requests & responses are stateless, a
server has no idea who is making them. To allow this, unique
(hopefully) cookie values are assigned to each user and the browser must
return these values in all future requests to access the same session.
Without these values, new sessions are generated.

HTH
Ian

In Response To Newsgroup_User · Oct 15, 2007

Does anyone have any suggestions on how to expire the session variables for that web application that gets closed that is a reliable solution?

In Response To Newsgroup_User · Oct 15, 2007

"Does anyone have any suggestions on how to expire the session variables
for that web application that gets closed that is a reliable solution?"

Don't use the HTTP standard!

The first solution off the top of my head would be a Flex application.
That is one of the big benefits to Flex. A Flex application is not
stateless, it can maintain an open connection with the server. It can
do something on some type of end|close of application event.

As I mentioned in the first reply, there are JavaScripts that attempt to
do this. But they rely in non-standard events that may not exist in all
browsers and users can disable or circumvent JavaScript code execution.
If you are comfortable with these caveats, then you can attempt to use
this code.

Other non-http network technologies could probably also be utilized, but
I am not knowledgeable in these other tools.

But are you absolutely sure you need this functionality? What is the
exact problem you are attempting to solve. In ten years of web
application development often working with other systems such as legacy
mainframe databases and applications, I have never needed this level of
granular session expiration.