tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mike Curwen" <gb_...@gb-im.com>
Subject RE: How to really destroy a Session
Date Fri, 16 Apr 2004 14:17:59 GMT
well uh... we're talking about JSESSIONID, no?
 
So if you call session.invalidate on the server-side, then that
JSESSIONID is removed from whatever internal session management 'space'
that Tomcat uses.   When the client then makes additional requests, and
sends that JSESSIONID cookie along with those requests, it doesn't match
any JSESSIONID that Tomcat has in it's "session space", and so the user
"has  no session". But once the user closes the browser, JSESSIONID
cookie goes away.

Everything works at it should.  If you see JSESSIONID cookies, even
*After* a browser close and restart, that is a *browser* problem.
Worrying about cleaning up the JSESSIONID cookie is pointless... it's
not your responsibility.  Tomcat *told* the browser to clean up the
cookie when it exits. 


> -----Original Message-----
> From: Yang Xiao [mailto:yxiao@ohpp.com] 
> Sent: Friday, April 16, 2004 9:04 AM
> To: 'Tomcat Users List'
> Subject: RE: How to really destroy a Session
> 
> 
> That's if it's a session cookie, is it? You can always use 
> the Cookie API to force the cookie to expire.
> 
> -----Original Message-----
> From: Mike Curwen [mailto:gb_dev@gb-im.com] 
> Sent: Friday, April 16, 2004 9:56 AM
> To: 'Tomcat Users List'
> Subject: RE: How to really destroy a Session
> 
> The cookie is removed when the user closes the browser, no ?
> 
> 
> > -----Original Message-----
> > From: marc.baumgartner@degussa-bank.de
> > [mailto:marc.baumgartner@degussa-bank.de] 
> > Sent: Friday, April 16, 2004 8:34 AM
> > To: tomcat-user@jakarta.apache.org
> > Subject: How to really destroy a Session
> > 
> > 
> > 
> > 
> > 
> > 
> > Hi all,
> > 
> > I am using Tomcat 5.0.19.
> > 
> > In my application the generated sessions are identified by a
> > cookie on the client. I only allow single sign on. Now I want 
> > to destroy the session and I call in a session an 
> > invalidate() and the session isn't available. Then the 
> > application  redirect the request to the start page. But 
> > there is still the cookie with JSESSIONID on the client and 
> > there is no new session possible.
> > 
> > Is there a solution to remove these cookies?
> > 
> > Thanks,
> > Marc
> > 
> > 
> > 
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message