Hi folks,
shouldn't be the javascript soluiton. ofcourse
you should do that always. but again its on client-end. Moreover, javascript may vary browser to browser.
its better to use HttpSessionListener. and invalidate the session on logout and session-timeout. it will definitely work in any case. but ofcourse session-timeout might not be the real logout time for the user. you can use javascript solution along this one.
cheers