I have an application into the intranet that pass for its the user in header request, I save in session and I use this information for access control on others pages. I need that when an user logged out from intranet, visit others site and if he try access the application again, paste the url in browser, the system show message "Access Denied".
you could the a session explicitly that it is invalid (HttpSerssion.invalidate()). Then you could remove the objects from the session. then remove the athenticating header and send a redirect (response.sendRedirect()) to the loginpage Then the user should be logged out safely. Mike