Al Hobbs wrote:Have you debugged or done tests to see if the logout method is being called?
Al Hobbs wrote:Okay, so logout works because you are getting a new session id after logging out. That makes sense if the only place you invalidate the session is when you logout. Are you invalidating the session when logging in?
Al Hobbs wrote:You want a new session after somebody logs in right? If you want a new session you have to invalidate the old one.
Al Hobbs wrote:You don't have to login to get a session id. Anytime you visit a site, you get a session id. When the person logins in invalidate the session then when you getSession() it will automatically make a new one for you. Done. Dunno what base you are talking about.
Dave Tolls wrote:You don't control the sessions.
That's handles by the server and browser.
You'll find that a single browser (eg Chrome, Firefox etc) talking to a single website will only have the one session, no matter how many tabs you open, or browser windows.
Whoever said that not logging in will result in no session either does not understand how sessions work, or "session id" does not mean what we think it means.
Dave Tolls wrote:The wording strikes me as strange on those requirements.
"Based on this identifier [the session ID], the server can check if the functions of the user are allowed."
Maybe it's just the way it's written, but that wouldn't be how I think of a normal sessionID.
I don't think I've ever used a session ID to determine a users privileges.