Here,
using container security, as such we do not provide for a "logout"
option. We see no need for a logout as there is no reason for our user
to change identity :) If you keep a session after logout, the risk that
might occur is that some datas that are to be considered "confidential"
remain in session of a now anonymous user. This can result in somewhat
incoherent access rules if you don't check them everytime they are
involved but only "once for session" :)
BTW, you don't need a session, i think, to collect usage pattern etc. A
simple valva that inject a marking cookie, different from session,
should be enough.
lightbulb432 a écrit :
What are the things you do when a user logs out? Some options include
invalidating the entire HttpSession, keeping the session alive but setting
some attribute (e.g. "loggedIn") to false, or doing something else I haven't
thought of.
I was thinking that upon logout the simplest thing to do is invalidate the
session, but there might be really valuable use cases that require a session
to remain alive. For example, collecting data on and analyzing usage
patterns for a given user while logged in and after logged out (for web
applications that have plenty of functionality or content for users that are
not logged in).
What do your applications do on logout, and what have you seen other
production applications do? What's the "best practice" in this regard? What
are the tradeoffs I probably haven't thought of?
Thanks.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
