tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bob Herrmann <>
Subject [5.0] [PATCH] new logout() method on HttpSession
Date Wed, 07 Aug 2002 20:07:20 GMT
The "api.txt" patch should be applied to "jakarta-servletapi-5"
The "catalina.txt" patch should be applied to "jakarta-tomcat-catalina"

Can someone apply these patches?

The 2.4 Serlvet spec includes a new method HttpSession.logout() (see
section 15.1.7)  

[from 15.1.7] "public void logout()  Logs the client out of the web
server and invalidates all sessions associated with this client. The
scope of the logout is the same as the scope of the authentication. For
example, if the servlet container implements single signon, the logout
logs the client out of all web applications on the servlet container and
invalidates all sessions associated with the same client."

The attached implementation of logout() just calls invalidate().  So
what is the difference between logout() and invalidate()?  Well
invalidate() in Tomcat needs to change so that in the single signon case
it doesn't logout from all web apps.  I am still working on how to
implement that, but I thought this "short" patch would bring Tomcat 5 to
mostly spec compliance quickly. The last paragraph of chapter 12 states
invalidate()'s new single signon behavior of only effecting the current
webapp and not all other webapps.

[last paragraph of chapter 12] "For single signon containers, logout
causes all other active sessions associated with the current user to be
invalidated. Invalidation or timeout of an individual session causes the
termination of that session, but does not cause logout unless it is the
last session for this user. In that situation, the container may start a
new session for one or more of the web applications without
re-authenticating the user."


View raw message