tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bill_Fellows/MO/
Subject Re: formbased authentication: logout ?
Date Wed, 21 Feb 2001 14:32:04 GMT

I'm sure others are more knowledgeable, but from what I've been able to observe
(snoop servlet is wonderful), a session must have been created before
authentication.  I'm basing all of my stuff off of my b*stardization of
SimpleRealm, BTW.  Session name is JSESSIONID.  A principal user is defined and
the username and password are stored in the session variable (j_username &
j_password.) upon successful authentication.  A tomcat.auth.originalLocation is
defined if they attempted to access a specific secure part before being
authenticated.  If so, after they authenticate it takes them to that particular

To logout, I have my users hit a servlet (could be a jsp) that goes through all
the cookies and expires them.  Since tomcat can only expire the cookies it
created, you don't have to worry about killing someone else's cookie.  Looking
at my code now, I can't remember if expiring the session takes care of removing
the cookies or not.  At any rate, I think I had trouble getting the
session.invalidate() to work in a jsp (since they create sessions automagically)
so maybe that's why I went to the jsp.  Maybe the invalidate is required to drop
the principal user...  At any rate, I'm going to re-evaluate my code but this
does work.  Enjoy.


    public void doGet(HttpServletRequest request, HttpServletResponse response)
    throws IOException, ServletException
      if ( request.isRequestedSessionIdValid() )
          HttpSession session = request.getSession(false);
         Cookie BagofGingerSnaps[]  = request.getCookies();
         for (int i = 0; i < BagofGingerSnaps.length ; i++)
            BagofGingerSnaps[i].setMaxAge(0);  //expire all cookies in 0 seconds
            response.addCookie(BagofGingerSnaps[i]);  //replace old cookies with
the new

    }//closes doGet

paul marshal <> on 02/21/2001 09:10:08 AM

Please respond to

To:   tomcat-list <>
cc:    (bcc: Bill Fellows/MO/americancentury)
Subject:  formbased authentication: logout ?

How do I create a possibility for my users to logout.
Is there something in the HttpSession that I need to delete ?
Or how does it all work ?


Paul Marshall

To unsubscribe, e-mail:
For additional commands, email:

View raw message