It's pretty common for users to close the browsers instead of logging off. In such circumstances it's critical that the session be invalidated, especially if the computer is a shared computer.
Now the problem doesn't arise if the cookie that is being used for session management has it's max age set to a negative value, implying that the cookie needs to be deleted when the brower is closed.
We are having a problem because our servlet engine(JRun) seems to be setting a positive value for the max age of the cookie.
Is there a standard way to get hold of the cookie for the session from the response object before it's sent to the browser ? Any other standard way to solve the problem?
Sachin.
p.s
1. Jrun has a Response.Cookies(name) api but that's not standard JSP
2. We don't want to wait for the next request and get the cookie from the request object.
3. We could create our own secondory session cookie, but we want to avoid doing that.
