As mentioned in the book of vaadin
“In the likely case that the browser crashes, no close event is communicated to the server. As the server has no way of knowing about the problem, and the session will be left hanging until the session timeout expires. During this time, the user can restart the browser, open the application URL, and the main window will be rendered where the user left off. This can be desired behaviour in many cases, but sometimes it is not and can create a security problem.”
We did a hack which worked so just sharing with forum to validate the same
Our architecture is
JSP (LOGIN) — > redirect to Vaadin application
so we changed this
JSP — > redirect servlet — > vaadin servlet
in redirect servlet we set one attribute to vaadin
req.setAttribute("TO_VAADIN", "TO_VAADIN");
req.getRequestDispatcher("/main").forward(req, resp);
and in vaadin servlet
@Override
protected Application getNewApplication(
HttpServletRequest httpServletRequest) throws ServletException {
httpServletRequest.setAttribute("NEW_APP", "NEW_APP");
TopupVaadinClient mMa = (TopupVaadinClient) appContext
.getBean("applicationBean");
return mMa;
}
@Override
protected void service(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
super.service(request, response);
String TO_VAADIN = (String) request.getAttribute("TO_VAADIN");
String NEW_APP = (String) request.getAttribute("NEW_APP");
if (TO_VAADIN != null) {
if (NEW_APP == null) {
try {
request.getSession().invalidate();
String contextPath = request.getContextPath();
response.sendRedirect(contextPath + "/login.html");
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
}
}
hope this hack solves someones problem …