This invention is directed to a system and method for tracking sessions for web-based applications. More particularly, this invention is directed to a system and method for terminating sessions for web-based applications.
Web-based applications are accessed by client users using web browsers, which access a web server and create a session. The session is stored on the server side and the web server tracks the session, which belongs to each client. The session can be associated with data generated from requests from the browser.
Generally, the web server destroys a session when the session times out. The session time out can be set to a variable length. If a session has not been accessed for a certain period of time, the server closes the session to reclaim resources. Even after a user closes the browser application, the particular session will not expire until the timeout has been reached. If the timeout is set to one hundred twenty minutes, and if the user closes the browser five minutes after starting, the server will keep the session active unnecessarily for another one hundred fifteen minutes. This becomes a serious disadvantage, especially in an embedded server environment with a small memory and small workspaces. The server may keep the memory allocated even after the session is no longer user.
Another problem is the limit on the number of allowable concurrent sessions. In the embedded server environment, the web server may keep tracking the active number of sessions to limit their usage. Even after a user closes his browser and is no longer browsing the web site, the web server keeps the session in memory until the session is timed out. Therefore, even if the system does not reach the maximum number of sessions in memory, and if it is at the maximum, the system will deny a new user access until sufficient resources have been freed.
An additional problem involves session-based file locking systems. If the web server uses a session-based file locking system, the file may be locked and is not available to others until the session is timed out, even if the user closes the browser before the timeout period.
Another problem is when a user does not close the browser, but moves away from the web site to another web site. In this situation, the session should be terminated, not only for the reasons described above, but also for security reasons. A user logged in as administrator or a private user can access secured or private pages. When this user moves away from such a site, the session should be terminated to that another login is required when the user returns to such site.
There is a need for a system and method for tracking sessions for web-based applications which terminates the session in response to selected actions by the user and provides increased security for secure or private web pages.