tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Delbecq <>
Subject Re: [OT] Correct action to take on log out
Date Sun, 09 Sep 2007 21:32:30 GMT

using container security, as such we do not provide for a "logout" 
option. We see no need for a logout as there is no reason for our user 
to change identity :) If you keep a session after logout, the risk that 
might occur is that some datas that are to be considered "confidential" 
remain in session of a now anonymous user. This can result in somewhat 
incoherent access rules if you don't check them everytime they are 
involved but only "once for session" :)

BTW, you don't need a session, i think, to collect usage pattern etc. A 
simple valva that inject a marking cookie, different from session, 
should be enough.

lightbulb432 a écrit :
> What are the things you do when a user logs out? Some options include
> invalidating the entire HttpSession, keeping the session alive but setting
> some attribute (e.g. "loggedIn") to false, or doing something else I haven't
> thought of.
> I was thinking that upon logout the simplest thing to do is invalidate the
> session, but there might be really valuable use cases that require a session
> to remain alive. For example, collecting data on and analyzing usage
> patterns for a given user while logged in and after logged out (for web
> applications that have plenty of functionality or content for users that are
> not logged in).
> What do your applications do on logout, and what have you seen other
> production applications do? What's the "best practice" in this regard? What
> are the tradeoffs I probably haven't thought of?
> Thanks.

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message