HI! I am using Tomcat's <security-constraint> security feature, and I have no problems with my users logging in and eventually logging out (when session expires???) What I want to do is to have a button that would log users out.... So I made a button to a LogOut.jsp where I tried the following: <% session.invalidate(); %> but it doesn't seem to work... How would you log out? thank you!
Hi, I think your code is correct, i.e., the session is correctly invalidated (i.e. all the attributes related to that HttpSession object will not be more accessible, etc, etc). However, you should note that the next time you access any jsp page, your code will probably create a new session, because, by default, any JSP page calls a getSession() (equivalent to getSession(true)) method at the beginning of the request, which will always create a session if it doesn't find one. BTW, if you are using BASIC authentication, then the problem is that you can only get a new authentication window (to put your name and password) only if you close ALL your browser windows (this is a problem related with the BASIC authentication method itself, not with java). In this case, you would probably consider to use FORM authentication instead. Anyway, could you be more specific ? what "it doesn't seem to work" means? Dani
Joined: Jul 22, 2003
by it doesn't totaly work I mean is that it dont give no errors, but when I open the admin page (not from the browsers cache), it doesn't ask me for a pass... oh man.. I dont like form thingy... its too much work But even in that case, how would you give the user ability to log out? admin tool has this thing logOut.do, but I couldnt find it anywhere... ???