I should have mentioned that as only one user can be logged into a browser session at any one time, they do have to log out for another user to log on. But the logging out process does not do any cookie handling or server-session invalidation.
This last step maybe the missing link. -----Original Message----- From: Martin O'Shea [mailto:app...@dsl.pipex.com] Sent: 22 Sep 2011 19 49 To: 'Tomcat Users List' Subject: RE: Session management issue with Tomcat To answer your questions: Is there a reason this data is in a custom cookie, rather than the session, via setAttribute()? The cookie is dedicated and meant to be persistent. The idea is that a user is recognised by the system upon returning to the website after having been away for some time. Hence, the userid is stored in the cookie, so that when the user returns to the homepage, the homepage can read the cookie, and present that user's recent list on the page. What is the expiry time of the custom cookie? The cookie is set for a year. How exactly are you invalidating this other cookie, when you invalidate the session? I assume you mean Tomcat's session and not the browser's sessions. The Tomcat sessions are not being invalidated at the moment. The underlying principle here is that if multiple users use the same PC, and maybe even the same session in a browser, a single cookie is used to store a userid. Various system pages have a login facility and if invoked, the cookie is rewritten with the current user's id. But this is where the Back button issue occurs so it may be that session invalidation solve my problem. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org