Handling the closing of a Window

Hi Vaadin team !

in the book of Vaadin, in section 4.6.2, last paragraph, you’re mentionning that in case of browser crashes,
the user can restart the browser and go back to the place he has left (according to the fact that the session hasn’t
expired, of course.) You’re saying that this behaviour is desired in many cases but sometimes it may be a security
problem.
Right, i agree, no problem but what can we do to manage this security problem ?? I haven’t found anywhere
clues for that and i believe it is clearly a big problem for many kind of web applications (like the one i’m working on
right now).

Could you please help me a bit ?

Thank you very much !

J.Pernel

What kind of solution are you looking for? Would you like the session to expire automatically when the browser window is closed? Is this a specific case of just when the browser crashes, or more in a general manner - when it closes for any reason?

I don’t want to manage this with a CloseListener because i’ll lose the refresh button feature.
Whatever, if the browser crash there won’t be any event fired to the application so the problem still exists.

It seems strange to me that the session is staying alive whatever the client state. You can close let’s say Chrome and open right after Firefox : you’ll get the application in the same state that you have left it in Chrome.
I understand it can be seen as a feature but that sounds weird to me (and my client also)…
Is there a way to disable this behaviour ??

I understand that Vaadin is well designed for webapplications that would mimic traditionnal desktop applications but
closing a browser, opening an other one and getting the application in the same state is definitely too stateful to me.

Am i clear ? Can you help me ?

For your information, i’m working on an intranet. The main purpose of this intranet is to manage projects, members and
documents in relation with the projects. It is very simple and i’m working on a proof of concept using Vaadin and Wicket.
I’d like to use Vaadin but this “problem” is annoying me…

Thank you !

Every browser has their own set of cookies. Because of this reason it should be impossible to do as you described, closing chrome and opening firefox, and still be in the same state. You can close chrome, and open up chrome again to continue using the same browser, but it should not be possible to do cross-browsers. In theory you could manipulate the browsers’ cookies by hand to make this possible but that is another matter.

For invalidating the session in the one and same browser - you can modify how long the session is alive before it is invalidated. This makes the situation a little better if the issue is session hijacking on a shared computer + browser. Also, a logout button is always a good idea.

About CloseListener. It is correct that a close event is sent when you hit the refresh button as you basically close the application and enter it again and I understand that this can cause you trouble. Still, in a traditionally designed Vaadin app you don’t use the browser buttons (previous/next/refresh) but all the controls are in the application itself, as in a desktop application. Wouldn’t it be more efficient to have refresh buttons next to often updating lists/tables, or use client polling or server push. That way the whole application doesn’t have to refresh and load times / data amounts are minimized.

(warning, untested idea)

I believe you can deal with your situation if you make every page bookmarkable. Refresh will give you back the same URL with a fragment that uniquely identifies your page. URIFragmentUtility allows you to do manage the bookmarking.The Vaadin book discusses this.

On the other hand, your new browser will have a URL without a fragment. So you could, in theory, use detect the “URL without a fragment” situation to reset the state / flush the session / whatever. This can be done in the http request handler. The handler is also discussed in the book.

This sounds like your code is using e.g. singletons that are shared by all the running application instances. Static variables should not be used for application instance specific state in servlets.

Thank you all for your answers.
I realize that i must go deeper in Vaadin principles because it seems that i want to apply traditionnal
web applications principles in Vaadin and that is not the right way to do things.

I take note of your suggestion, Jean-François, to handle the refresh button with bookmarkable urls, definitely
a good trick to try.

Thank you again and sorry to have asked questions too early and thus make you loosing precious time…

Happy to see that there’s a real community behind Vaadin, it encourages me to go in that direction.

Bye !