Win a copy of Murach's Python Programming this week in the Jython/Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

logout security servlet  RSS feed

 
Andrew Mcmurray
Ranch Hand
Posts: 188
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all,

I am using using Tomcat's web.xml to auth users to certain resources. I am wondering if there is a way in a servlet to kill their session id. For example if they wanted to logout all they had to do is click a logout link and it would go to a servlet that would get rid of their session id.

any thoughts?

Thanks,

AMD
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It depends what sort of authentication you're using, and I should also point out that the session is not the same as authentication, and while many servers use the session to support authentication this is not always the case.

For example if you're using BASIC authentication, there isn't really any way to log them out, but you can use session.invalidate to remove the session. If they then get a new session they will not necessarily get a new session id, they may retain the same one.

FORM-based authentication typically supports a logout operation, but on some servers this is as simple as a session.invalidate() call, on others you may need to use a proprietary library to accomplish the logout.

Dave
 
Andrew Mcmurray
Ranch Hand
Posts: 188
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks

I am using Form based and the latest Tomcat. So I will try the session.invalidate.

AMD
 
Consider Paul's rocket mass heater.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!