You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by lightbulb432 <ve...@hotmail.com> on 2007/09/09 05:06:11 UTC
[OT] Correct action to take on log out
What are the things you do when a user logs out? Some options include
invalidating the entire HttpSession, keeping the session alive but setting
some attribute (e.g. "loggedIn") to false, or doing something else I haven't
thought of.
I was thinking that upon logout the simplest thing to do is invalidate the
session, but there might be really valuable use cases that require a session
to remain alive. For example, collecting data on and analyzing usage
patterns for a given user while logged in and after logged out (for web
applications that have plenty of functionality or content for users that are
not logged in).
What do your applications do on logout, and what have you seen other
production applications do? What's the "best practice" in this regard? What
are the tradeoffs I probably haven't thought of?
Thanks.
--
View this message in context: http://www.nabble.com/-OT--Correct-action-to-take-on-log-out-tf4407955.html#a12575609
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [OT] Correct action to take on log out
Posted by David Delbecq <de...@oma.be>.
Here,
using container security, as such we do not provide for a "logout"
option. We see no need for a logout as there is no reason for our user
to change identity :) If you keep a session after logout, the risk that
might occur is that some datas that are to be considered "confidential"
remain in session of a now anonymous user. This can result in somewhat
incoherent access rules if you don't check them everytime they are
involved but only "once for session" :)
BTW, you don't need a session, i think, to collect usage pattern etc. A
simple valva that inject a marking cookie, different from session,
should be enough.
lightbulb432 a écrit :
> What are the things you do when a user logs out? Some options include
> invalidating the entire HttpSession, keeping the session alive but setting
> some attribute (e.g. "loggedIn") to false, or doing something else I haven't
> thought of.
>
> I was thinking that upon logout the simplest thing to do is invalidate the
> session, but there might be really valuable use cases that require a session
> to remain alive. For example, collecting data on and analyzing usage
> patterns for a given user while logged in and after logged out (for web
> applications that have plenty of functionality or content for users that are
> not logged in).
>
> What do your applications do on logout, and what have you seen other
> production applications do? What's the "best practice" in this regard? What
> are the tradeoffs I probably haven't thought of?
>
> Thanks.
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org