tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Luke Taylor <>
Subject [Q] Session invalidation and authentication mechanism
Date Mon, 14 Aug 2000 09:03:34 GMT
Basically the question is how are the session and authentication data
linked (or are they)?

I've set up a web application which has various security constraints
configured in the web.xml file and I use basic authentication to login.
At a later stage I want to logout and I click on a link that gets a
servlet to invalidate() the user session. The problem is that I can
still access pages which are protected and the browser doesn't ask me
to login again. I would have expected the security information to be
linked to the session object, and indeed the user principal object is
no longer there when I subsequently call getUserPrincipal() (during
another logout attempt)...

Anyone any ideas?


 Luke Taylor.
 PGP Key ID: 0x57E9523C

View raw message