I should have mentioned that as only one user can be logged into a browser
session at any one time, they do have to log out for another user to log on.
But the logging out process does not do any cookie handling or
server-session invalidation.

This last step maybe the missing link.

-----Original Message-----
From: Martin O'Shea [mailto:app...@dsl.pipex.com] 
Sent: 22 Sep 2011 19 49
To: 'Tomcat Users List'
Subject: RE: Session management issue with Tomcat

To answer your questions:

Is there a reason this data is in a custom cookie, rather than the session,
via setAttribute()?

The cookie is dedicated and meant to be persistent. The idea is that a user
is recognised by the system upon returning to the website after having been
away for some time. Hence, the userid is stored in the cookie, so that when
the user returns to the homepage, the homepage can read the cookie, and
present that user's recent list on the page.

What is the expiry time of the custom cookie?

The cookie is set for a year.

How exactly are you invalidating this other cookie, when you invalidate the
session?

I assume you mean Tomcat's session and not the browser's sessions. The
Tomcat sessions are not being invalidated at the moment. 

The underlying principle here is that if multiple users use the same PC, and
maybe even the same session in a browser, a single cookie is used to store a
userid. Various system pages have a login facility and if invoked, the
cookie is rewritten with the current user's id. But this is where the Back
button issue occurs so it may be that session invalidation  solve my
problem.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to