DO NOT REPLY [Bug 12147] New: - session logout() method does not invalidate the session

Wed, 28 Aug 2002 17:41:49 -0700 

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12147>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12147

session logout() method does not invalidate the session

           Summary: session logout() method does not invalidate the session
           Product: Tomcat 5
           Version: Unknown
          Platform: PC
        OS/Version: Windows NT/2K
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: Catalina
        AssignedTo: [EMAIL PROTECTED]
        ReportedBy: [EMAIL PROTECTED]


After HttpSession.logout()was called, the session is still active. 
The BASIC authentication did not logout the user and ask passwords when the 
logout() method had been called.

The following is the code to call logout()

     Debug.println("LogoutHandler: perform");

        HttpSession session = (HttpSession)signoutevent.get("session");
        if (session!=null)
        {
            Debug.println("current session id:"+ session.getId());
            Debug.println("current session status:" + session.getCreationTime
()); 
            session.logout();
            
            Debug.println("new session id:"+ session.getId());
            Debug.println("new session status:" + session.isNew());
            Debug.println("new session status:" + session.getCreationTime());
         
        }

The folloing is the debug message:

LogoutHandler: perform
current session id:F1C4C622A113E256274753A6B11631A4
current session status:1030582292752
new session id:F1C4C622A113E256274753A6B11631A4
new session status:false
new session status:1030582292752

The following is the security config

<security-constraint>
      <display-name>Security For Container Login</display-name>
      <web-resource-collection>
         <web-resource-name>Protected Area</web-resource-name>
         <url-pattern>/control/signin_cfb</url-pattern>
         <http-method>DELETE</http-method>
         <http-method>GET</http-method>
         <http-method>POST</http-method>
         <http-method>PUT</http-method>
      </web-resource-collection>
      <auth-constraint>
         <role-name>tomcat</role-name>
         <role-name>manager</role-name>
         <role-name>engineer</role-name>
      </auth-constraint>
    </security-constraint>

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Reply via email to