Jackson schrieb:

Sorry, I don't directly answer your question. AFAIK login out on non
SSL connections is not trivial. A nice article describing solutions can
be found at

http://www.javaworld.com/javaworld/jw-09-2004/jw-0927-logout.html

Andreas

I'm not sure I understand you, but I think you're asking for a way that
an application server can determine whether the user agent with which
some user was participating in some particular HTTP session has been
shut down.  The answer to that question is "No" (whether or not it's the
question you meant). HTTP is a request/response protocol.  Between
requests, the server cannot obtain information about the status of
clients.  The only things it knows about them come from their requests.

If you really need to restrict clients to one session at a time but yet
be able to reconnect quickly when they drop a session without properly
logging out then you have a few options.  The most likely ones I see are:

(1) Make the session timeout very short.  Depending on the application,
this might not be feasible, but it might be worth the trouble to rig up
a Javascript that fed a heartbeat to the server to keep the session
alive.  If you were using AJAX techniques then that would fit right in,
but otherwise it might be painful.

(2) Cache a map from users to their live session in the servlet context,
and use it to give users the option of killing their previous session
when they attempt to log in again.  Chances are that this would be
pretty easy and reliable.

(3) Do nothing and just put up with it.