tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Invalidate problem with Opera
Date Fri, 11 Jun 2010 12:38:41 GMT
Søren Blidorf wrote:
> In my webapp I use session.invalidate().
> It works fine in IE, but not in Opera.
> I get no error but the user is still logged in.
> Any idears?
> 
A guess, and a way to check it :

The guess is that a side-effect of session.invalidate() is that in the 
next response to the browser, the JSESSIONID cookie should be deleted.

The check :
- get the Fiddler2 add-on for IE and install it
- get a similar add-on for Opera and install it
(These add-ons allow you to see which HTTP headers the server is sending 
to the browser; as a more complex alternative, use Wireshark or so).

Then call up the respective browser, trigger the add-on, and start and 
stop a session. At the start of a session, you should see a response 
from the server including a Set-Cookie header, for a JSESSIONID cookie.

In the last response from the server (after your logout), there should 
be a Set-Cookie header, which cancels the JSESSIONID cookie (probably by 
setting the expiration to "now").
This HTTP header should be identical in both cases.
If it is, and it works in one case and not the other, then it is either 
a browser bug, or the Set-Cookie header itself which is not entirely 
correct (unlikely, I guess).

By "it works", I mean that the result should be to delete the cookie in 
the browser.  If the cookie is deleted, then at the next request to the 
server, no JSESSIONID cookie is sent, and Tomcat will consider this as a 
new session.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message