Session API won't help you with this. As long as the browser stays
open and the session hasn't timed out, then the session is
valid.
Alternatives:
You
can prevent the pages from being cached and expire them immediately. When the
user hits the back button, they will get a message that says the page is
expired. This forces them to go to a page that you do not expire immediately:
the login.
You
can also modify the browser history using JavaScript. By setting the the
history, the "back" button can always point to the login screen
of your site.
Both
of these methods are browser dependent and not 100% reliable. You will get
varying results depending on the browser type and version... So they can be a
pain to use.
Also,
both of these methods will always affect a user trying to use the "back" button
- not just ones who browsed away from your site. Basically, you will be
disabling the "back" button. I'd recommend *not* doing this unless you really
must.
Kevin
Baynes
Seagull Software
-----Original Message-----
From: A mailing list for discussion about Sun Microsystem's Java Servlet API Technology. [mailto:[EMAIL PROTECTED]]On Behalf Of John Waugh
Sent: Wednesday, August 15, 2001 11:23 AM
To: [EMAIL PROTECTED]
Subject: Timing out Secure sessionhi,
I was thinking about making a secure web site, but the thought has just crossed my mind that I'd like it when a user visits the page on the site, then another site, then say presses back and refresh, to make the user have to relogin.
how on earth would I detect the fact that the user has left the site using the session api. I haven't been able to come up with anything.
any suggestions or other approaches anyone?
John
