I tried invalidating the session in java code, but until unless your in JSF life cycle a new session is recreated.
might be this information is helpful to think other way around.
JSF tends to make this very obvious. JSF creates sessions early, since it's so dependent on session-scope objects for things like datatables.
You still log out by invalidating a session. The best way to do that is to code an action method with the "immediate" attribute on the invoking commandButton/commandLink. That will delete the current session and log you out. You then specify where to navigate to on exit from the action method in the usual way.
If the next view to be presented requires session-scope objects, a new session will be created. However that won't be a logged-in session until you actually log back in again.
If your next view is a simple page with a "You have been logged out" message and maybe a "Click Here" to login, you can avoid creating new session objects and that will keep you from cluttering your server with orphaned sessions. On the other hand, if your logout redirects to a public home page with session object references on it, you'll have to endure the fact that people could then leave the site and the orphaned session would linger until the session timeout interval had expired.
"privilege" comes from the Latin words for "private" and "law" (legal) and dates to feudal times. To "claim privilege" meant that you were above the laws that applied to the common people.
I can't take it! You are too smart for me! Here is the tiny ad: