On Thu, 15 Jul 1999, Augusto Sellhorn wrote:
> But when I use cookies and set the time to -1, they seems to go away
> when the browser exits.
>
> Sessions seem to live even though the user exits the browser :
> ( Could be a bug the servlet engine ? I'm just wondering what the
> supposed behaviour is.
Remember, cookies exist in the browser (i.e. on the client), sessions
exist on the server.
-1 is the default age for cookies, and means that a cookie should not
be persistent, i.e. it is not stored on the client machine and will go
away when the browser exits (as you are seeing). An age of 0 for a
cookie means it should be deleted immediately (don't know if this is
dependent on the clocks on the server and client being in sync, like
the "Expires:" response header).
Since sessions are on the server, and the server has no way of knowing
when the browser exits, a browser exiting has no effect on the
session. That's why you are seeing the behavior you are.
> I'm using timeouts right now, and that's ok. But it would be even
> better if I could have timeouts and a little browser "hint" to say
> "Please if you can, when you exit, remove that cookie" :)
For that, you'd have to use something like Cezar's making users logout
suggestion (well, suggesting/requesting/pleading/begging, not making :-).
> Cezar Totth wrote:
> >
> > Hi,
> >
> > On Thu, 15 Jul 1999, Augusto Sellhorn wrote:
> >
> > > So I'm using the setMaxInactiveInterval() method, and it does what I
> > > want. Now I'd like to tell the Session to be removed when the user
> > > exits the browser. You can do this with cookies, but how can you do
> > > it with a Session object ???
> > >
> > > If it can't be done, would it be a good idea to have a getCookie()
> > > method in the Session interface ? We need more control :)
> > >
> > It cant be done due to HTTP behavior. There is no request sent to the
> > server when user closes the browser or just navigates completely out of
> > your servlet engine.
> >
> > The cookie is "closed" at the broser level, when browser program ends,
> > the server has no clue about that.
> >
> > Even if you get the cookie info from the session that will not help
> > too much - it does not tell you nothing when user's browser is closed.
> >
> > Workarounds are available all adding more or less drawbacks:
> >
> > - Implement an logout servlet and put links within all (or some)
> > http pages of your application:
> > Whithin its doGet() just set a one (zero?) second
> > timeout for the current session, so it will expire almost instantly.
> >
> > Drawbacks: added servlet, users must click "logout" links or buttons
> > in order to be logged out (hard to convince them to do that, just to
> > see nothing happens :-)
> >
> > - Use a very small timeout (let it be 30 seconds)
> > for all sessions and have each page
> > including a small image (logo, animation...) or frame that refreshes
> > each 15 seconds. This image being provided by an
> > "ImageRefreshingServlet" whose only purpose is to send the
> > same image binary to the browser.
> >
> > When user leaves the application session will expire very quick.
> > (too quick one might say)
> >
> > Drawbacks: overload on servlet engine. Possible problems on slow links.
> > Possible problems with caches. Dont know what happens with doPosts()
> > that last longer than 30 seconds to return
> > (do they expire session or not?)
> >
> > Other ideas?
>
Milt Epstein
Research Programmer
Software/Systems Development Group
Computing and Communications Services Office (CCSO)
University of Illinois at Urbana-Champaign (UIUC)
[EMAIL PROTECTED]
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
