T5: how to invalidate session on logout?

[tapestryphoto <ph...@digiatlas.org>]

I need to be able to reset everything when the user logs out.  
Currently @Persist objects are still available if the user logs in  
again with the same browser instance. This isn't very optimal.

I have searched the mail archive and found some comments on this issue  
made at the end of 2007. I'm wondering if there is a standard way to  
do this. The Wiki appears to be silent on the issue - I would have  
thought this would have had more importance than it seems to have.

According to these prehistoric ;-) postings to the mailing list, one  
should inject RequestGlobals and then call invalidate() on the session.

Is this still the way to do this?  It seems rather clunky and  
non-obvious - especially for the novice T5 programmer who is shown  
numerous examples of logins and ASOs and how to use @Persist. The T5  
page about persistance strategies is also silent on the issue (apart  
from mentioning discardPersistentFieldChanges() - but that would  
require running the method on every page when logging out).

Thoughts?

p.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org

Re: T5: how to invalidate session on logout?

[Thiago HP <th...@gmail.com>]

I would create an EventLink (the logout link) that, when clicked,
invalidates the session.

<a href="#" t:type="EventLink" t:event="logout">Logout</a>

@Inject
private Request request;

@OnEvent("logout)"
void logout() {
    request.getSession().invalidate();
}

-- 
Thiago

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org

Re: T5: how to invalidate session on logout?

[Kristian Marinkovic <kr...@porsche.co.at>]

invalidating the http session is the way to go because all the persist and
ASO objects are stored there. 

i have a LogoutService that is called when a user wants to log out. this 
service only deletes an artifact that is used to verify the successfull 
login.
in an dispatcher (see AccessController on the wiki) the artifact is 
checked
and if it does not exist the httpsession is invalidated.

g,
kris





tapestryphoto <ph...@digiatlas.org> 
23.01.2009 10:22
Bitte antworten an
"Tapestry users" <us...@tapestry.apache.org>


An
users@tapestry.apache.org
Kopie

Thema
T5: how to invalidate session on logout?







I need to be able to reset everything when the user logs out. 
Currently @Persist objects are still available if the user logs in 
again with the same browser instance. This isn't very optimal.

I have searched the mail archive and found some comments on this issue 
made at the end of 2007. I'm wondering if there is a standard way to 
do this. The Wiki appears to be silent on the issue - I would have 
thought this would have had more importance than it seems to have.

According to these prehistoric ;-) postings to the mailing list, one 
should inject RequestGlobals and then call invalidate() on the session.

Is this still the way to do this?  It seems rather clunky and 
non-obvious - especially for the novice T5 programmer who is shown 
numerous examples of logins and ASOs and how to use @Persist. The T5 
page about persistance strategies is also silent on the issue (apart 
from mentioning discardPersistentFieldChanges() - but that would 
require running the method on every page when logging out).

Thoughts?

p.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org