-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chema,
On 9/16/2011 7:37 AM, Chema wrote: > Ive got a web application running on Tomcat 7, with SSL (https) > and realm for authentication/authorization Presumably, you are using CLIENT-CERT as your <auth-method>? > When I invalidate() a session ( session.invalidate() ) , Tomcat > doesn't know it and thinks that user is still logged in So, that > user can get protected pages. Tomcat should return him a login > window but doesn't. Why do you think that HttpSession.invalidate() should act as a log out mechanism when using CLIENT-CERT authentication? > If Tomcat doesn't use SSL , works fine, so I guess I'm not ending > sessions properly with SSL activated. SSL session != HttpSession You need to terminate the SSL session. See a separate thread "SSLSession invalidate" for a discussion about how this is (not) working. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5zg3IACgkQ9CaO5/Lv0PDZbQCff4qRtUf6fbOeJwDByeiDYyC7 GqsAnRY74JnQqgvzoyI/0MPJZOCFzOcu =+ytG -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
