If you are only doing this in JSPs then you would have to call the session.invalidate();. Though you should think about using servlets as well so you don't have to do all your java coding in side the jsps as this quickly gets messy and unmanageable.
Actually, you should be doing authentication checking in a filter, not in the JSPs, not in the servlets. And using .isNew() is not the best of ideas. Places an authetication token in the session upon login and check for that.
jagan raja wrote:And Bibeault, can I know why I shouldnt be using isNew()?
Look it up in the javadoc and see f you can answer this question yourself.
And authentication token in the sense do I want to set a attribute in a session and check for that in my jsp?
Yes, except that you can put something much more meaningful than a string in the session. I use a construct that not only indicates that a user is logged in, but identifies the user (as well as other properties such as roles and permissions when appropriate).