HttpSessionListener - Will sessionDestroyed method be called on session timeout?
I have an implementation of HttpSessionListener where 'locked' resources in the application are released with sessionDestroyed method.
The 'lock' information is maintained in database, and the release of locks is working fine in most cases. But In some cases I still see resource is locked - even if there is no session active!
So, I'm doubting if there is possibility that sessionDestroyed not being invoked? Suppose if the session is timed out - will sessionDestroyed method be called?
Suppose user closes browser tab without logging out(destroying session) -then will the listener be invoked?
Thanks in advance!
Answer
A servlet engine will handle session timeouts.
It will determine on its own when the session is no longer valid and it will call the sessionDestroyed. (this can occur some time after the user closed his browser).
Some other points :
Logging
Perhaps you can add some logging to sessionCreated and sessionDestroyed methods. for each sessionCreated you should have a sessionDestroyed.
Excepion Handling
Perhaps the fact that stuff remains locked is not due to the session not being destroyed, but perhaps due to an error in your sessionDestroyed logic. Do you have sufficient exception handling / logging in place there ?
Timing
Did you wait long enough to check your locked resources ? (close all clients, and take into account the session timeout value configured on the application / server). As stated earlier, the server cannot detect a user closing a browser, but it does maintain its list of http sessions, and it will destroy them after timeout.