Jean Bresse wrote:
> Hi:
>
> I know that a session can be destroyed by invoking the invalidate()
> method. It can also be destroyed once a certain time has passed,
> usually 30 minutes. The problem is as follow:
>
> 1) User A starts a session, then closes his/her browser.
>
> 2) User B starts the invokes the same browser.
>
> Our environment wants to treat user B as a user with no session (for
> example, the user is prompted to log on, and only THEN a session is
> instantiated). Is there a way for the server to destroy the session
> upon the user closing the browser?
>
> If this is the right way to approach the problem, suggestions for
> solution are most welcome! If any of the above is incorrect, your input
> is even more appreciated!
>
Most servlet containers configure their session ID cookies with the age value
that says "this cookie expires when the browser is closed" for precisely this
reason. In Java, you do this by calling Cookie.setMaxAge() with a negative
argument. Therefore, as soon as user A closes the browser (or it crashes on
them :-) and user B starts it, all the session cookies are gone.
As a side effect (for Netscape at least) this setting causes the cookie to
never be written out to the cookies.txt file, since there is no reason to save
it. This reduces the risk of someone being able to snoop your hard disk, swipe
your session ID, and impersonate you.
>
> Jean Bresse
>
Craig McClanahan
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
