You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Chris Gibbons <cg...@sabioso.com> on 2006/06/13 17:33:07 UTC
HttpSession.invalidate() not working as expected
I am trying to invalidate my session by calling
HttpSession.invalidate(), the problem I am having is after I log in as a
user, then log out, then log back in, the second log in doesn't call any
of my authentication methods. On logout I am calling
HttpSession.invalidate() which doesn't throw any exceptions. To test
whether the invalidate method was actually working I made a second call
to HttpSession.invalidate() which according to the API should throw an
exception on the call to invalidate an already invalidated method. This
second invalidate doesn't throw an exception and I can still call
HttpSession.getId() and have it return a valid value. Could someone
tell me why the invalidate() method is not really invalidating or a
suggestion on a better way to do this?
Chris
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: HttpSession.invalidate() not working as expected
Posted by Tim Lucia <ti...@yahoo.com>.
Without seeing actual code, we can only guess.
Have you made two consecutive calls to invalidate() [on the same thread] and
not received the documented exception?
Are you getting a different session id from getId()?
I am guessing you are making a second request, which creates a brand new
session.
What mechanism(s) are you using for logging in? Your own? Basic? If the
latter, your browser will reuse the credentials as long as the browser
window is alive.
Tim
-----Original Message-----
From: Chris Gibbons [mailto:cgibbons@sabioso.com]
Sent: Tuesday, June 13, 2006 11:33 AM
To: users@tomcat.apache.org
Subject: HttpSession.invalidate() not working as expected
I am trying to invalidate my session by calling HttpSession.invalidate(),
the problem I am having is after I log in as a user, then log out, then log
back in, the second log in doesn't call any of my authentication methods.
On logout I am calling
HttpSession.invalidate() which doesn't throw any exceptions. To test
whether the invalidate method was actually working I made a second call to
HttpSession.invalidate() which according to the API should throw an
exception on the call to invalidate an already invalidated method. This
second invalidate doesn't throw an exception and I can still call
HttpSession.getId() and have it return a valid value. Could someone tell me
why the invalidate() method is not really invalidating or a suggestion on a
better way to do this?
Chris
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org