Ending session when user closes window w/o logging out

Similar Messages

• Force end of session when user closes window without logging out

  I want to protect sensitive employee data. Does anyone know how to force a user's portal session to be terminated after a user closes a window with the "X" instead of logging out?

  Web application is connectionless. So there is no way to tell if a user has disconnected. If the user diligently logout, then invalidating a session is no problem. However, if you wish to invalidate the user upon closing of window, I suggest you drop that idea and change to different approach.
  1. If you are trying to impose single logon policy, you may consider invalidate an existing session if the same user login again.
  2. If you really need to invalidate a user session as soon as he is inactive (or closes window). I suggest you set a very small timeout interval (maybe 3 minutes). Then for all the pages, implement a simple invisible IFRAME that will keep refreshing itself (say every 2 minutes) on a dummy JSP/servlet URL. The fact that this IFRAME always hit the URL at 2 mins interval will keep the user session valid. Once the browser window is closed, the session will be invalidated in max 3 mins time.
  The final suggestion is to drop that idea altogether, the point is ... implement such feature is like twisting web application to do something that it is not design to do naturally.

• Authenticate when user clicks back button after logging out

  Hi All,
  Is there a way that the user can be forced to authenticate, if he has just logged out, and then clicks the back button.
  I have a situation where a user who is working on relatively sensitive data logs out (yeees they should close the browser and all, but they never obey instructions... ) and someone else can come around and click the back button, and see what what he had been working on.
  Is there a way to disable this behaviour, or otherwise force a reload/re-authentication.
  Thanks.

  Hi there,
  You can accomplish this by writing this code in each page of your application
  Write this in your html header:
  <script type="text/javascript">
  javascript:history.go(1);
  </script>and write this in Page HTML Body Attribute:
  onunload="javascript:history.go(1)";It will not allow your users to go back.
  Thanks
  Tauceef

• When i close window with multiple tabs angd start new session (open new window) old tabs open again, how can i stop it?

  when i close window with multiple tabs and start new session (open new window) old tabs open again, how can i stop it?

  It is possible that there is a problem with the files [http://kb.mozillazine.org/sessionstore.js sessionstore.js] and sessionstore.bak in the [http://kb.mozillazine.org/Profile_folder_-_Firefox Profile Folder]
  Delete [http://kb.mozillazine.org/sessionstore.js sessionstore.js] and sessionstore.bak in the [http://kb.mozillazine.org/Profile_folder_-_Firefox Profile Folder]
  * Help > Troubleshooting Information > Profile Directory: Open Containing Folder
  If you see files sessionstore-##.js with a number in the left part of the name like sessionstore-1.js then delete those as well.
  Deleting sessionstore.js will cause App Tabs and Tab Groups to get lost, so you will have to create them again (make a note).
  See:
  * http://kb.mozillazine.org/Session_Restore

• [SOLVED] Disconnecting session when client close browser's window or tab

  Hello,
  I'm looking for disconnect my database session and invalidate the session with the "onunload" af:document function. I think that is the same as the "onunload" in "body" html tag.
  I see some documentation about that, for example:
  http://www.oracle.com/technology/products/jdev/htdocs/partners/addins/exchange/jsf/doc/tagdoc/core/document.html
  and I see that is enable to put an EL Expression, so I try with this:
  <f:view>
  <af:document binding="#{backing_user.document_user}" id="document_user" onunload="#{backing_user.logout}">
  <af:form binding="#{backing_user.form_user}" id="form_user"/>
  </af:document>
  </f:view>
  and not works, then I try:
  <f:view>
  <af:document binding="#{backing_user.document_user}" id="document_user" onunload="return logout_function()">
  <af:form binding="#{backing_user.form_user}" id="form_user"/>
  </af:document>
  </f:view>
  and as this, I try a lot of combinations, with no result. I take my time searching in various browsers but, surprisingly, I fount not much information about this (rare, I think is a very interesting matter).
  What is the way to be able this funcionallity?
  Thanks,
  Westh
  Edit: obviusly, logout_function() is a correct javascript function :P

  Hello,
  I resolve my problem. Now I go to describe the steps in a little tutorial.
  Remmember that this is a very basic tutorial that only allow you to do this matter, but not in deep. See bottom links for more information.
  Step's list:
  1) Download Shale framework from http://shale.apache.org/index.html#download
  2) Import all .jar libraries in your application.
  3) Open your web.xml file and add this:
  <context-param>
  <param-name>org.apache.shale.remoting.DYNAMIC_RESOURCES</param-name>
  <param-value>/dynamic/*:org.apache.shale.remoting.impl.MethodBindingProcessor</param-value>
  </context-param>
  4) Consider this:
  4.1) Managed bean --> userBean.java that have this method:
  public void logout () {
  /* Your logout code */
  and this name in faces-config.xml:
  <managed-bean>
  <managed-bean-name>userBeanId</managed-bean-name>
  <managed-bean-class>userBean</managed-bean-class>
  <managed-bean-scope>session</managed-bean-scope>
  </managed-bean>
  4.2) JSP Page --> home.jsp that have this code:
  A clinet listener:
  <af:clientListener method="unloadEvent" type="load"/>
  and this javascript functions:
  <f:verbatim>
  <script type="text/javascript">
  function unloadEvent () {
  window.onunload = function () {
  processUnload();
  function processUnload () {
  var httpRequest;
  if (window.XMLHttpRequest) {
  httpRequest = new XMLHttpRequest();
  } else if (window.ActiveXObject) {
  httpRequest = new ActiveXObject("Microsoft.XMLHTTP");
  httpRequest.overrideMimeType('text/xml');
  httpRequest.onreadystatechange = function() { alertContents(httpRequest); };
  httpRequest.open('GET', 'dynamic/userBeanId/logout.faces', false);
  httpRequest.send('');
  function alertContents(httpRequest) {
  if (httpRequest.readyState == 4) {
  if (!httpRequest.status == 200) {
  alert('There was a problem with the request. Http code: ' + httpRequest.status);
  </script>
  </f:verbatim>
  Assuming the suffix '.faces' is mapped to the JSF servlet.
  With this, you are able to acces to logout method of userBean (using ajax) when client closes window or tab. No servlets, no 'logout.jsp' pages, etc; and the most important thing: the code never be repeat! it's funny :)
  Westh
  Resources:
  http://thepeninsulasedge.com/blog/2007/06/22/adf-faces-rc-more-on-javascript/
  http://thepeninsulasedge.com/frank_nimphius/adf-faces-rich-client-javascript-programming/
  http://www.oracle.com/technology/products/adf/adffaces/11/doc/multiproject/adf-richclient-api/tagdoc/af_clientListener.html
  http://shale.apache.org/shale-remoting/apidocs/org/apache/shale/remoting/package-summary.html
  http://shale.apache.org/shale-remoting/index.html

• Invalidate session when user clicks back button

  I want to invalidate the session when user clicks back button, so that user cannot refresh and reload a page.
  Any suggestions will be highly appreciated.
  Message was edited by:
  sam_amc

  * SessionInvalidator.java
  * Created on October 27, 2006, 9:18 AM
  package web;
  import java.io.*;
  import java.net.*;
  import javax.servlet.*;
  import javax.servlet.http.*;
  * @author javious
  * @version
  public class SessionInvalidator extends HttpServlet {
      /** Processes requests for both HTTP <code>GET</code> and <code>POST</code> methods.
       * @param request servlet request
       * @param response servlet response
      protected void processRequest(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {
          response.setContentType("text/html;charset=UTF-8");
          PrintWriter out = response.getWriter();
          String reposted = request.getParameter("reposted");
          if("true".equals(reposted))
              HttpSession session = request.getSession(false);
              if(session == null)
                  // This is step 4 and beyond
                  out.println("<html>");
                  out.println("<head>");
                  out.println("<title>Servlet SessionInvalidator</title>");
                  out.println("</head>");
                  out.println("<body>");
                  out.println("<h1>Servlet SessionInvalidator at " + request.getContextPath () + "</h1>");
                  out.println("I said, your session is now invalid! Now where are those Duke Dollars at?");
                  out.println("</body>");
                  out.println("</html>");
              else
                  Integer hitCount = (Integer)session.getAttribute("hitCount");
                  if(hitCount == null)
                      // This is step 2 (the "good" - "stay" page.)
                      out.println("<html>");
                      out.println("<head>");
                      out.println("<title>Servlet SessionInvalidator</title>");
                      out.println("</head>");
                      out.println("<body>");
                      out.println("<h1>Servlet SessionInvalidator at " + request.getContextPath () + "</h1>");
                      out.println("Your session is good.<br>");
                      out.println("If you click the browser's back button, you will invalidate your session.");
                      out.println("</body>");
                      out.println("</html>");
                      hitCount = 1;
                      session.setAttribute("hitCount", hitCount);
                  else
                      //We've used up our good visit
                      session.invalidate();
                      // This is step 3
                      out.println("<html>");
                      out.println("<head>");
                      out.println("<title>Servlet SessionInvalidator</title>");
                      out.println("</head>");
                      out.println("<body>");
                      out.println("<h1>Servlet SessionInvalidator at " + request.getContextPath () + "</h1>");
                      out.println("Your session is now invalid");
                      out.println("</body>");
                      out.println("</html>");
          else
              // because the javascript in the following output will never allow a user
              // to continue clicking back any further than this, we can safely create the session.
              // (or perhaps the session can already be created here and this may not be necessary).
              // A problem lies where if the user chooses to "select" a page back in history they thereby
              // potentially skip back "over" this functionality, thus defeating the purpose of it.
              request.getSession(true);
              // This is step 1 (indirection)
              out.println("<html>");
              out.println("<head>");
              out.println("<title>Servlet SessionInvalidator</title>");
              out.println("</head>");
              out.println("<body onload=\"document.getElementById('invalidatorForm').submit()\">");
              out.println("<h1>Servlet SessionInvalidator at " + request.getContextPath () + "</h1>");
              out.println("<form id=\"invalidatorForm\" action=\"SessionInvalidator\" method=\"POST\">");
              out.println("<input type=\"hidden\" name=\"reposted\" value=\"true\">");
              out.println("</form>");
              out.println("</body>");
              out.println("</html>");
          out.close();
      // <editor-fold defaultstate="collapsed" desc="HttpServlet methods. Click on the + sign on the left to edit the code.">
      /** Handles the HTTP <code>GET</code> method.
       * @param request servlet request
       * @param response servlet response
      protected void doGet(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {
          processRequest(request, response);
      /** Handles the HTTP <code>POST</code> method.
       * @param request servlet request
       * @param response servlet response
      protected void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {
          processRequest(request, response);
      /** Returns a short description of the servlet.
      public String getServletInfo() {
          return "Short description";
      // </editor-fold>
  }The problem with even attempting to do this is that with today's browser capabilities, users can optionally choose to jump to a particular page in the browser history and this may not necessarily be the most recent page. In this case, you would also want to invalidate the user's session after already having been there (whatever page that may be). Then you have situations when the user may wish to jump back in history to external pages they were visiting before they reached your own site's pages. Then what happens when they start clicking forward, forward, etc... from there? This is why I prefer writing Swing Clients as alternatives to browser applications. There are soo many possible ways break web applications made for standard web browsers both maliciously and simply by accident or irregular user patterns. Regardless, this servlet would work based on the assumption that all the user(s) would "ever" do aside from moving logically forward is clicking on the browser's "back" button.
  cheers!
  Message was edited by:
  javious

• Call JavaScript when user closes browser containing webcenter

  Hi
  Scenario:
  1. Webcenter is opened in a browser.
  2. User closes the browser
  Requirement:
  - When user closes browser containing webcenter, a java script (or a servlet) should get called.
  As you know, we can call a script in 'onunload()' of body tag.
  But how do we call it with webcenter?
  Thanks.
  Edited by: 873687 on Dec 14, 2011 5:34 AM

  Here is a few links that I found for the JavaScript side you might play aroudn with.
  http://developer.irt.org/script/1230.htm
  http://www.webreference.com/js/tutorial1/reference.html
  http://www.experts-exchange.com/Web/Web_Languages/JavaScript/Q_20953676.html
  http://www.devguru.com/Technologies/ecmascript/quickref/window.html
  And two in German
  http://www.uni-magdeburg.de/service/www/books/muenz/javascript/objekte/window.htm
  http://www.exine.de/clientseitig/js_work_events.htm

• Safari quits when I close window!!!

  Safari quits when i close any window since tiger installation

  Try this link:
  marrakechprod, "Safari quits when I close window....", 06:00pm Jun 16, 2005 CDT

• Session does not end even when i close browser

  when i close firefox/IE the session continues ,What i need is that i am adding amount in shopping cart ,but the amount adds to old amount even when i open a new browser window ,
  i hv checked that my browser will remove cookies when i will close mozilla
  i hv also printed total=0 in servlet's ini method but the init method is called only once and total does not reset to 0,does 'th the call to init method is made everytime we start a new session via browser ,it does not get called whn i close the current browser and open new one.how to destroy the older servlet?
  I m using s=request.getSession()
  and s.setAttribute("billamnt",total)
  the code of the servlet is
  import javax.servlet.*;
  import javax.servlet.http.*;
  import java.io.*;
  public class addtocart extends HttpServlet
       HttpSession s;
       PrintWriter pw;
       int total,cam,mob;
       public void init()
            total=0;
            cam=0;
            mob=0;
            System.out.println("inside  cart init");
  public void service(HttpServletRequest req,HttpServletResponse res) throws IOException
       s=req.getSession();
      res.setContentType("text/html");
       pw=res.getWriter();
       pw.println("<html><body><a href="+"mobs"+">Mobile</a><br><a href="+"cams"+">Camera</a><form method = "+"post "+"action ="+"bill"+"><br><input type= "+"submit"+"></form></body></html>");
      if(req.getParameter("csony")!=null)
      cam=cam+Integer.parseInt(req.getParameter("csony"));
      if(req.getParameter("clg")!=null)
      cam=cam+Integer.parseInt(req.getParameter("clg"));
      if(req.getParameter("cnokia")!=null)
      mob=mob+Integer.parseInt(req.getParameter("cnokia"));
      if(req.getParameter("cerricson")!=null)
      mob=mob+Integer.parseInt(req.getParameter("cerricson"));
      s.setAttribute("cambill",new Integer(cam));
      s.setAttribute("mobbill",new Integer(mob));
      s.setAttribute("billamnt",new Integer(cam+mob));
  public void doPost(HttpServletRequest req,HttpServletResponse res)
  public void doGet(HttpServletRequest req,HttpServletResponse res)
  }Wats the problem?
  Message was edited by:
  pooja_k_online

  The servlet is not created on a session basis. All users share the same servlet object. The servlet is created once when the servlet is first called in the context, then is maintaned until the server shuts down.
  You should not store any state in the servlet. You should use the HttpSession object you get from the request object to store the totals, and all other values. You should not use the servlet to hold on to a session object, as multiple users would see the SAME session that way. If you need to use the session in multiple methods, then you should pass that object as parameter, not by making it a class member.
  You also shouldn't put the work in the service method of the HttpServlet. You should put it in either the doGet or doPost method (and if you want to make it happen for both type requests, call doPost from the doGet method and put the work in the doPost method).
  For example:
  public class ShoppingCartServlet extends HttpServlet {
    public void doGet(HttpServletRequest request, HttpServletResponse response) {
      doPost(request, response);
    public void doPost(HttpServletRequest request, HttpServletResponse response) {
      HttpSession session = request.getSession();
      Integer cambill = (Integer)session.getAttribute("cambill");
      int cam = 0;
      if(cambill != null) cam = cambill.intValue();
      Integer mobbill = (Integer)session.getAttribute("mobbill");
      int mob = 0;
      if(mobbill != null) mob = mobbill.intValue();
      Integer billamnt = (Integer)session.getAttribute("billamnt");
      int total = 0;
      if(billamnt != null) total = billamnt.intValue();
      String csony = request.getParameter("csony");
      if (csony != null) cam += Integer.parseInt(csony);
      String clg = request.getParameter("clg");
      if (clg != null) cam+= Integer.parseInt(clg);
      String cnokia = request.getParameter("cnokia");
      if (cnokia != null) mob += Integer.parseInt(cnokia);
      String cerricson = request.getAttribute("cerricson");
      if (cerricson != null) mob += Integer.parseInt(cerricson);
      total = cam + mob;
      session.setAttribute("cambill",new Integer(cam));
      session.setAttribute("mobbill",new Integer(mob));
      session.setAttribute("billamnt",new Integer(total));
      PrintWriter pw=response.getWriter();
      pw.println("<html><body><a href="+"mobs"+">Mobile</a><br><a href="+"cams"+">Camera</a><form method = "+"post "+"action ="+"bill"+"><br><input type= "+"submit"+"></form></body></html>");
      pw.close();
  }Message was edited by:
  stevejluke

• Dynpro application: how to perform some  code when user click window close

  Hello,
  I'm developing dynpro application. This application needs to perform some code when exiting.
  I can do that with MODULE xxxxx AT EXIT-COMMAND. But this code can't be performed when user of application click on button closing window (classic R/3 window, not pop-up).
  Does anybody know how to bind some code to clicking on button closing window?
  Best regards,
  Josef Motl

  As far as the prompt that you get when you close the last window is coming from the counter that SAP maintains regarding the number of open sessions(windows). When this counter reaches 1, I guess they have a check to issue a prompt. There was a discussion in this forum a long time back regarding how we can know that session id like SM04. There was no conclusion reached then. Theoritically, let us know you know this id for the session in which the user opened a particular page, then you can see if that session is deleted and then take the necessary action. There are some TH_* function modules that seem to be promising, but I was not able to conclusively achieve the control over a particular session.
  See if you can look at SM04 and get an idea. Please do let us know if you find the solution.
  Srinivas

• How do i end a sub vi when the close window control is clicked?

  Hi,
  I have a sub vi that sits in a while loop until a 'Done' button is pressed but sometimes the user clicks on the close window control in the top left of the window (MacOS) instead.
  After this has happened I would like control to return to the calling vi but it's as though the sub vi is still waiting for someone to click on the done button and the any user actions in the calling vi are ignored.
  How do I wire the close window into my program so as clicking on either it or the Done button will end the sub vi and pass control back to the calling vi?
  Thanks,
  Dave.

  The "event structure" can capture events for "this VI" that include "panel close". If you are using an event structure to look for the push of the Done button, just add another event that will catch the panel close as well (you can even configure the stucture to not pass on the close event). If you are not using the event structure to watch for the done button, perhaps you should. If you cannot use it in the same loop, you can put it in a parallel loop and use any of several signaling mechanisms to communicate between the loops.

• How to close a session when user clicks Logout

  In my jsp page i create a session for every user's name.
  when particular user clicks logut without closing his personal page,
  the others can access his page.
  so, how to close a session when clicks logout link.?
  similarly when user gets signin one system,he will not be sigin in other system.but how can we achieve this?
  Thanks in Advance

  What is the name of the session variable that you are creating on login? When he clicks logout, set that session variable to null. Like session.setAttribute("userName",null); and check for non-null condition before proceeding with any functionality in your jsp's.
  What is the second question? You want to prevent duplicate logins from different systems? You would have to maintain a static datastructure like a HashMap for instance. Everytime a user logs in, put an entry into the HashMap...like userMap.put("userName","userName"); If an entry already exists, throw a message saying that user already logged in from another machine...

• Force code execute when user closes OOB lightswitch app using the windows close red X

  I've created a lightswitch app using Forms Authentication.  If the user closes the application using the window close red 'X', I need to update a custom user profile table.  Is this possible?

  I use this code and it works!
  I handle the closing event of the user and I break it, execute my code ed after closing the application.
  Under you see the code that I use in my application.vb :
  Public Class Uscita
  ' Dichiara un evento per la classe
  Public Event Event1()
  ' Definisce un metodo per richiamare l'evento
  Sub CausaEvento()
  RaiseEvent Event1()
  End Sub
  End Class
  Protected Sub EsceAPP()
  Dim Obj As New Uscita
  AddHandler Obj.Event1, AddressOf Me.EventoUscita
  ' Provoca l'esecuzione dell'evento
  Obj.CausaEvento()
  End Sub
  Sub Eventouscita()
  Dispatchers.Main.BeginInvoke(Sub()
  RemoveHandler _mainWindowClose.Closing, AddressOf MainWindow_Closing
  System.Windows.Application.Current.MainWindow.Close()
  End Sub)
  End Sub
  Private Sub Application_loggedin()
  Try
  Dispatchers.Main.BeginInvoke(Sub()
  _mainWindowClose = System.Windows.Application.Current.MainWindow
  AddHandler _mainWindowClose.Closing, AddressOf MainWindow_Closing
  End Sub)
  Catch ex As Exception
  MessageBox.Show(ex.Message)
  End Try
  End Sub
  Private Sub MainWindow_Closing(ByVal sender As Object, ByVal e As ClosingEventArgs)
  If MessageBox.Show("Vuoi Veramente uscire?", "Conferma", MessageBoxOption.OkCancel) = Windows.MessageBoxResult.Cancel Then
  'Elimina l'uscita utente
  e.Cancel = True
  Else
  'Interrompe momentaneamente l'uscita dell'utente per eseguire l'aggiornamento della tabella utenti loggati
  e.Cancel = True
  'Aggiorna la tabella utenti loggati ed esce dall'applicativo
  Me.Details.Dispatcher.BeginInvoke(Sub()
  Dim ws = CreateDataWorkspace()
  Dim query = ws.ApplicationData.UtentiLoggatis.Where(Function(c) c.UserName = Me.User.FullName).FirstOrDefault
  query.OnLineImage = MyImageHelper.GetImageByName("RedLight.png")
  query.OnLIne = "OFF"
  query.Logout = Now
  ws.ApplicationData.SaveChanges()
  'Chiama la routine per uscire dall'applicazione
  EsceAPP()
  End Sub)
  End If
  End Sub

• Record locks created when user closes the Browser and not the Web Form

  Hi. We sometimes encounter the issue where a user updates a record, locking the record on the table, but then they unexpectedly closes the browser without saving by clicking the X in the upper-right of the browser window. Then when another user comes along and attempts to edit that record they get the message Unable to Reserve Record. The orphaned record lock eventually does seem to clear itself out, but that can often take 15-20 minutes.
  Is there any way to speed this up? Or to pragmatically keep this from occurring? Either on the database side or with some code in a particular application?
  Please let me know your thoughts. Thanks in advance.

  If a user closes the browser window the forms runtime on the application server holding the locks is in most cases still up and running. The FORMS_TIMEOUT controls on how long a forms runtime on the server is up and running without the client applet not sending a heartbeat (See MOS note 549735.1). By default this is 15 minutes which would explain your locks being held 15 minutes.
  You could decrease the FORMS_TIMEOUT in the default.env, so the forms runtimes get cleaned earlier and thus the locks get released earlier.
  Note that if you have blocking client_hostcalls with webutil this might be a problem, as it prevents the forms applet from sending the heartbeat and after the FORMS_TIMEOUT passed while the forms applet is blocked the forms runtime on the server gets closed.
  cheers

• Releasing table locks when user closes browser

  Hi, I've read the blogs and tried some of the code that people have suggested but it just never seems to work.  I have locked table entries belonging to a stateful 2003 BSP.  The user closes the browser by means of the 'X' and the table locks remain.  I have table lock releases in the 'OnDestroy' event but that never seems to occur.  I have tried inserting JavaScript to capture the closing of the window but either it captures every other event or it gets confused when navigating to another page.  I have the redirect examples however they all seem to be part of a proper logoff procedure, rather than the cowboy approach of just shutting down the browser.  There must be a simple procedure out there to do this.  Is there a complete example somewhere?
  Any help will be appreciated,
  Kevin

  Hi Raja, ok I discovered why it isn't working and it really is quite obvious.  The browser that it's being tested on has a Google toolbar installed. Among other things this toolbar allows users to block the display of popups.  If this is selected the script will not run properly as it needs the alert to allow the server side to run.  This is going to be frustrating because while most of the user's desktop is managed by the corporation they still have the ability to add toolbars to their browsers and configure them, and I'm sure most people will select the popup blocker. 
  Kevin