Invalidating sessions and container auth.

["Jon.Ridgway" <Jo...@upco.co.uk>]

Hi All,
 
This isn't a struts specific question, but someone may have an answer...
 
I'm using form based auth in my Struts based app and I need an option to log
user out. Right now my LogoutAction perform method calls request.getSession
(false).invalidate(). The problem is that the container (in this specific
case Tomcat 3.2.1) doesn't recognize that the user has been logged out. As
no attempt is made to re-auth them. Is there a standard Java way to log a
user out and force a container to re-auth ?
 
Jon.

Re: Invalidating sessions and container auth.

["Craig R. McClanahan" <cr...@apache.org>]

On Thu, 21 Jun 2001, Jon.Ridgway wrote:

> Hi All,
>  
> This isn't a struts specific question, but someone may have an answer...
>  
> I'm using form based auth in my Struts based app and I need an option to log
> user out. Right now my LogoutAction perform method calls request.getSession
> (false).invalidate(). The problem is that the container (in this specific
> case Tomcat 3.2.1) doesn't recognize that the user has been logged out. As
> no attempt is made to re-auth them. Is there a standard Java way to log a
> user out and force a container to re-auth ?
>  

Make sure that you invalidate the session *before* the response has been
committed.  Otherwise, the cookie deletion (which is necessary to
implement the session invalidation) is ignored, because the HTTP headers
will have already been sent.

> Jon.
> 

Craig