Reputation: 10665
Destroy user session stored in database on window close
In our JAVA web application we maintain users' session in a database table active_sessions. And we do not allow multiple sessions per user. what it means is, if you are already logged in with a particular user account, you cannot open a new session with the same account. In case somebody does, we display error 'User already has an active session'. When user clicks on Logout his entry from table active_sessions is removed. But in case where user closes the window without logging out his entry remains in the table active_sessions. So any attempt to login in future results in an error 'User already has an active session'. Any tips on how to destroy user session in database in case he closes the browser window without logging out.
Edit: After reading all the posts it seems there is no clean way to restrict single session per user.
Upvotes: 0
Views: 1646
Answers (3)
Reputation: 15628
Use the 'onbeforeonload' JavaScript event which can perform an AJAX call to your server to delete the entry. This event will however be executed each time the page is unloaded so if you don't have a SPA then you'll need to ignore the event for href and such.
Agree with Almas however that your approach is dangerous in the sense that it is not possible to enforce this 100%. E.g. if the user kills the browser process then even this JS event would not be published. Furthermore, a user can simply use another browser to bypass your 'protection'.
Upvotes: 2
Reputation: 356
The basic thing about HTTP is that it is request/response protocol. i.e. Things are changed/accessed only by making a request to the server. This 'limitation' makes your requirement interesting. There can be two workarounds for this:-
Poll the server at a repeated interval through an AJAX call. As long as you application keeps getting the polling AJAX request you can assume that the window is open.
Use javascript (window.onunload ) to fire an event to destroy user session when the browser is closed.
Upvotes: 0
Reputation: 8865
In the server side users HTTP session is normally invalided after a certain period of idle time. You can implement http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpSessionListener.html and register it in web.xml to receive notifications about session create/destroy etc. In your listener implementation you could delete the table entry on session destroy event.
Upvotes: 1
Related Questions
- Can I expire all sessions of a user?
- How to delete a user session by admin forcely
- Destroying session on close of the browser from the task bar
- java web application destroy 1st login session after 2nd login
- How to close a specific session in Java EE
- How to Delete data from Database upon closing the browser
- Destroy a session
- Destroying a Session While Closing the Browser in JSP
- How can I remove session related information from database when the session gets killed?
- Kill user session