hi all! I know every session has a unique sessionID If I keep all userID-sessionID record in my web app. my question is, when I want to "force" an user to logout, how do I use sessionID to find that session and kill it??
Deprecated As of Java(tm) Servlet API 2.1 for security reasons, with no replacement. This interface will be removed in a future version of this API.
The problem is that application contexts can talk to each other. If you can reach from one web app to another, get the thing that holds some elses session, you can then get and set data on it. Initially it might sound useful and like a good idea, but consider the case where you (personally) don't control all the app on a server... If you want to log someone out from the server side, set a session timeout and use a registered HttpSessionBindingEvent to detect when the session times out. Manually maintaining the user and session data is dangerous! Dave