Martin the problem is that even when you invalidat the session... the
browser itself still knows that the user is cool...
So TC will send it a new session ID and it will return the info
without even asking the user to logon as such...
I can see this happening ONLY if the user is authenticating via BASIC
auth or using a front end like Apache Httpd to perform authentication.
With Form authentication, this behavior would not happen. With form
auth, the user would be redirected to the login page before a secured
page ever received another request from that user.
--David
Alan Chaney wrote:
Martin the problem is that even when you invalidat the session... the
browser itself still knows that the user is cool...
So TC will send it a new session ID and it will return the info
without even asking the user to logon as such...
Please indicate the part of the Tomcat code which makes the above
behavior happen. I quote from the Servlet 2.4 spec.
"If the user is authenticated using form login and has created an HTTP
session, the timeout or invalidation of that sessions leads to the
user being logged out in the sense that subsequent requests must be
re-authenticated." (SRV.12.5.3.1 Login Form Notes)
so I don't think what you say is correct.
Even when a user opens a new page in the browser... it knows they
"still" cool
Until the browser is closed they logged on ;)
And there is no direct "the browser is gone event"... browsers are
stateless yada yada
This isn't actually correct. Invalidating the session on the server
means that the browser's record of the session is as though the
session never existed. Tomcat will no longer 'associate' session state
with the session Id provided by the browser and all the state in the
session is lost (unless persisted by an application.)
request.getRemoteUser() will return null because the browser and
server can no longer agree on a sessionID, this is as other
contributors have said the 'logged out' state.
The standard servlet authentication mechanisms will redirect any
furtheraccess to protected pages to the selected login mechanism as
soon as the session is invalidated.
if request.getRemoteUser() has the users name... they on... you dont
know when they off
but you can track the user... either you have that in every page and
if you get a name you record time page url...
or you can stick that in a filter... which sits in front of all your
pages, so you dont have to doctor every page on a site...
You know when they in... you dont know when they gone..
It is true that unless you have some javascript code which
specifically generates an event to say that the browser is logged out
AND the network connection is still valid, you don't actually know
that the browser has 'gone'. However, you can easily generate a
session timeout event.
I have actually implemented user state logging (detect log in event,
detect navigation events and detect either manual logout or session
timeout and it works fine. It is driven entirely from looking at the
state of 'getRemoteUser' and the session timeout event.
Regards
Alan Chaney
---------------------------------------------------------------------
To start a new topic, e-mail: [email protected]
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
