On 23/09/2011 19:47, Martin O'Shea wrote: > I should have mentioned that as only one user can be logged into a browser > session at any one time, they do have to log out for another user to log on. > But the logging out process does not do any cookie handling or > server-session invalidation.
The only way to execute a logout from FORM auth is session.invalidate(); p > This last step maybe the missing link. > > -----Original Message----- > From: Martin O'Shea [mailto:app...@dsl.pipex.com] > Sent: 22 Sep 2011 19 49 > To: 'Tomcat Users List' > Subject: RE: Session management issue with Tomcat > > To answer your questions: > > Is there a reason this data is in a custom cookie, rather than the session, > via setAttribute()? > > The cookie is dedicated and meant to be persistent. The idea is that a user > is recognised by the system upon returning to the website after having been > away for some time. Hence, the userid is stored in the cookie, so that when > the user returns to the homepage, the homepage can read the cookie, and > present that user's recent list on the page. > > What is the expiry time of the custom cookie? > > The cookie is set for a year. > > How exactly are you invalidating this other cookie, when you invalidate the > session? > > I assume you mean Tomcat's session and not the browser's sessions. The > Tomcat sessions are not being invalidated at the moment. > > The underlying principle here is that if multiple users use the same PC, and > maybe even the same session in a browser, a single cookie is used to store a > userid. Various system pages have a login facility and if invoked, the > cookie is rewritten with the current user's id. But this is where the Back > button issue occurs so it may be that session invalidation solve my > problem. > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
signature.asc
Description: OpenPGP digital signature
