tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alan Chaney <>
Subject Re: Programmatically detecting login or logout events
Date Mon, 28 Jul 2008 14:49:06 GMT

> Martin the problem is that even when you invalidat the session... the 
> browser itself still knows that the user is cool...
> So TC will send it a new session ID and it will return the info without 
> even asking the user to logon as such...

Please indicate the part of the Tomcat code which makes the above 
behavior happen. I quote from the Servlet 2.4 spec.

"If the user is authenticated using form login and has created an HTTP 
session, the timeout or invalidation of that sessions leads to the user 
being logged out in the sense that subsequent requests must be 
re-authenticated." (SRV. Login Form Notes)

so I don't think what you say is correct.

> Even when a user opens a new page in the browser... it knows they 
> "still" cool
> Until the browser is closed they logged on ;)
> And there is no direct "the browser is gone event"... browsers are 
> stateless yada yada

This isn't actually correct. Invalidating the session on the server 
means that the browser's record of the session is as though the session 
never existed. Tomcat will no longer 'associate' session state with the 
session Id provided by the browser and all the state in the session is 
lost (unless persisted by an application.)

request.getRemoteUser() will return null because the browser and server 
can no longer agree on a sessionID, this is as other contributors have 
said the 'logged out' state.

The standard servlet authentication mechanisms will redirect any 
furtheraccess to protected pages to the selected login mechanism as soon 
as the session is invalidated.

> if request.getRemoteUser() has the users name... they on... you dont 
> know when they off
> but you can track the user... either you have that in every page and if 
> you get a name you record time page url...
> or you can stick that in a filter... which sits in front of all your 
> pages, so you dont have to doctor every page on a site...
> You know when they in... you dont know when they gone..

It is true that unless you have some javascript code which specifically 
generates an event to say that the browser is logged out AND the network 
connection is still valid, you don't actually know that the browser has 
'gone'. However, you can easily generate a session timeout event.

I have actually implemented user state logging (detect log in event, 
detect navigation events and detect either manual logout or session 
timeout and it works fine. It is driven entirely from looking at the 
state of 'getRemoteUser' and the session timeout event.


Alan Chaney

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message