Issue
In a spring MVC app , does closing the Application browser window ends the session ? And when a new window is opened then a new session is started Is my understanding correct?
Solution
Starting with some details first and then answering your specific questions below.
If you have a network inspection tool, you'll notice that the first time your browser interacts with the server, there is a header in the response that looks like Set-Cookie: JSESSIONID=<session_id> (assuming Tomcat). The server has created a session and has given that session ID. The server will typically create a new session when either the request did not have a session ID or the session ID was invalid. This cookie is stored in the browser's cookie store and will be sent in subsequent requests as a Cookie header.
If the cookie does not define an expiration, the browser will treat this cookie as a session cookie, which is transient or will only live until the browser is closed. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie.
So closing your browser would only lose the client-side reference (session ID) to the session. While the session on the server is orphaned (assuming nothing else has a reference to the session ID), the session is still very much alive. If there are no further requests for that session, the session will eventually timeout and end. You can configure the timeout via this property - server.servlet.session.timeout.
Now to answer your exact questions:
Q: Does closing the Application browser window ends the session?
The browser cookie store will no longer contain the session ID after closing. The server session will be orphaned and eventually timeout/end.
Q: And when a new window is opened then a new session is started
If the browser is already open and you made a request the server once before, opening another window that hits the server would not create a new session. Both windows share the same cookie store.
But if you were to open a new window after launching the browser process or clearing your cookies, a new session would be created. Again, this is due to the request from browser to server not containing the session ID.
Answered By - Tim Tong
Answer Checked By - Gilberto Lyons (JavaFixing Admin)
