I am using using Tomcat's web.xml to auth users to certain resources. I am wondering if there is a way in a servlet to kill their session id. For example if they wanted to logout all they had to do is click a logout link and it would go to a servlet that would get rid of their session id.
It depends what sort of authentication you're using, and I should also point out that the session is not the same as authentication, and while many servers use the session to support authentication this is not always the case.
For example if you're using BASIC authentication, there isn't really any way to log them out, but you can use session.invalidate to remove the session. If they then get a new session they will not necessarily get a new session id, they may retain the same one.
FORM-based authentication typically supports a logout operation, but on some servers this is as simple as a session.invalidate() call, on others you may need to use a proprietary library to accomplish the logout.
posted 12 years ago
I am using Form based and the latest Tomcat. So I will try the session.invalidate.
Poop goes in a willow feeder. Wipe with this tiny ad: