In a spring MVC app , does closing the Application browser window ends the session ?
And when a new window is opened then a new session is started
Is my understanding correct?
Starting with some details first and then answering your specific questions below.
If you have a network inspection tool, you'll notice that the first time your browser interacts with the server, there is a header in the response that looks like Set-Cookie: JSESSIONID=<session_id> (assuming Tomcat). The server has created a session and has given that session ID. The server will typically create a new session when either the request did not have a session ID or the session ID was invalid. This cookie is stored in the browser's cookie store and will be sent in subsequent requests as a Cookie header.
If the cookie does not define an expiration, the browser will treat this cookie as a session cookie, which is transient or will only live until the browser is closed. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie.
So closing your browser would only lose the client-side reference (session ID) to the session. While the session on the server is orphaned (assuming nothing else has a reference to the session ID), the session is still very much alive. If there are no further requests for that session, the session will eventually timeout and end. You can configure the timeout via this property - server.servlet.session.timeout.
Now to answer your exact questions:
Q: Does closing the Application browser window ends the session?
The browser cookie store will no longer contain the session ID after closing. The server session will be orphaned and eventually timeout/end.
Q: And when a new window is opened then a new session is started
If the browser is already open and you made a request the server once before, opening another window that hits the server would not create a new session. Both windows share the same cookie store.
But if you were to open a new window after launching the browser process or clearing your cookies, a new session would be created. Again, this is due to the request from browser to server not containing the session ID.
Related
In a spring security application i am navigating to the login page and entering my credentials and getting logged in.Now again if i open a new tab in the same browser and navigate to the login url it shows me the login page.If I enter another users credentials and login my previous Jsession ID(ie: the one created in the previous tab) is getting overridden with the new jsession id.Upon refreshing the previous tab the session is overridden.
I want to implement that if a user is logged in already in the application, upon navigating to the url again in another tab on the same browser the homepage of the application should open.
Please advise as how I can accomplish that?
Since the server uses the cookie to map to the current session, you'd have to control how the browser sends cookies. Every time a request is sent to a website from a new tab, most browsers will send all the cookies it has for that domain. Since your server received the same session cookie, it will treat this request as being in the same session. There's no way it can tell the difference.
Therefore, as far as cookie-based web sessions go at least, you probably won't be able to force the creation of a new session upon opening a new tab.
I am working on a project. After login i assign some value to session variable Like Session("userid")=XYZ. if i open any page inside application it will check for this value and if its not empty and has permission to access page i am allowing it.
Now if suppose i am accessing www.Domain.com/Pagename and close the tab and open the same link after copy paste it checks for session and it opens the same page which is absolutely fine.
But when i restart browser and try to open the page by link copy paste its throwing me back to login screen. Since Session is server side this should not happen. But i read on w3school that session is maintained using cookie, and cookie is lost after browser restart, so how can i maintain my session even after browser restart till it times out.It seems Both Session and cookie are contradicting each other. I didn't had this problem with similar code in asp.net application but in classic asp it doesn't seem to work.
What are the different ways of maintaining session in a browser?
Consider a scenario;
I am browsing a secure site in Firefox and the browser crashes. Now when I open the browser again and I do Restore tabs, my previous session is restored back ? Is that handled automatically by the browser OR is it code-based ?
Also can we control session based on tab close vs window close, etc
Is there any connect between maintaining the session at server vs having the same at client side?
What are the different ways of maintaining session in a browser?
Different ways to maintaining sessions are :-
Cookies ( Most Standard way )
Url Rewriting
Html Forms hidden fields
Consider a scenario; I am browsing a secure site in Firefox and the
browser crashes. Now when I open the browser again and I do Restore
tabs, my previous session is restored back ? Is that handled
automatically by the browser OR is it code-based ?
It is handled by browser automatically if it was cookie based, other wise you will manage that.
Also can we control session based on tab close vs window close, etc
On server you can control session just by time, mean when it will invalid, but if you want to do something that will invalid session when close tab then according to me you can bind on close event in javascript and then delete the cookie that was used to manage the session, PHPSESSION ( in php's case )
Is there any connect between maintaining the session at server vs
having the same at client side?
Yup :)
when you create a session actually you are sending a cookie.
Think you are coding in php, and you create a session, now what happens is: a file will be created on the server (file is the default way to handle session in php but you can also change that) and a unique id will also create on server that will represent that session, think you create a session so a file will created with name sjflsj3lrh324l2hjlskdjfl3hl.session and a unique id will also created ex:- sjflsj3lrh324l2hjlskdjfl3hl.
Now when you store anything in session you actually are storing that in this file, and when you will send response to browser, you will also send a cookie on browser and the cookie value will be this id. So next time when you reopen that web, browser will first check if there was any cookie received from this domain before. If yes, then send that with request, and then on server php will check if request contains any cookie with it. If so, then it will check if that name file exists, and if exists mean there was a session. It will then open that file and all variables values that was saved in it will be restored in php variables.
When a session is invalidated in a web app, if i make to that app a new request with the invalidated jsessionid in cookie, what will be the new session's id? As i inspect, a new session is generated but the session id remains same. I couldn't give a explanation to this. Is there such a convention to keep jsessionid in cookie and give that value to newly created session or am i doing something wrong? :)
The Scenario.
I have 2 webapps on same weblogic. The WLCookie name for these apps are same.
When user enters in appA i am making a asynchronous call to appB's logout servlet where the appB's session is invalidated.
when user clicks a link in appA which refers to appB, i am creating a new session in appB and when i check for the sessionid in cookie it still remains same which is first created in appA.
As i know, two webapps on same weblogic does not share their session's if not configured but although i invalidated appB's session from outside why newly created session has still the same session id?
Thanks.
Do not confuse jsessionid with sessions. jsessionid is unique per container instance, where as session is per app. So, the session data won't propagate from AppA to AppB, just because the share the same jsessionid.
In my webappalication, i would show a popin if the session was inactive during 30 minutes.
Have you any idea about how to do that with SpringMVC?
Thank you
I would do this as follows:
Configure your container to expire sessions after 30mins
When a user makes an initial request and a new session is created store a cookie which contains the session id.
On subsequent requests check the session id on the request against the session id stored in the cookie, if they're different the user's previous session has expired and you should show a pop-up.
One more thing to note, ensure that you set the max age of the cookie to be negative. This ensures that the cookie is deleted when the browser is closed. If you don't do this, the next time the user opens their browser and goes to your site they will see the pop-up.