PDA

View Full Version : logout / session invalidate not working


michael.lowden
01-08-2010, 08:54 PM
I'm trying to use JDBC authentication, and have figured everything out for the log-in process and works great. However, I cannot seem to trigger the session.invalidate at all. It's not storing any cookies, but for some reason, it keeps the old session and I have to reload the browser to get a new sessionid.

any help is greatly appreciated (PS --- i'm on 3.1.9 as that's what the host uses)

my logout servlet code is:
public void doLogout(HttpServletRequest req, HttpServletResponse res){
BasicLogin oBL = new BasicLogin();
try{
req.getSession().invalidate();
oBL.logout(
req, res, req.getSession().getServletContext()
);
out.println("logged out");
} catch(Exception e) {
logger.severe( e.getMessage() );
logger.severe( e.getStackTrace().toString() );
} finally {
//res.sendRedirect("/");
}
}thanks in advance

nam
01-09-2010, 02:30 AM
Are you using enable-url-rewriting? That would cause old session ids to be reused even when no cookies are set. Nevertheless, the old session id shouldn't contain any data since you had invalidated it.

michael.lowden
01-09-2010, 02:49 AM
thanks, i just checked my /conf/resin.conf and it has: <session-config>
<enable-url-rewriting>false</enable-url-rewriting>
</session-config>so, no i don't have that enabled :(

michael.lowden
01-09-2010, 02:55 AM
just tried extra settings ... didn't work either :( <session-config
enable-url-rewriting='false'
reuse-session-id='false'/>

SkillAdvance
04-23-2010, 08:54 PM
I'm experiencing pretty much the same problem on the same version (3.1.9) - I cannot invalidate a session via a 'logout' link (for now, in a JSP).

I've tried the mechanism shown here:

http://www.caucho.com/resin-3.0/security/tutorial/security-basic/index.xtp#Causing-a-logout

which doesn't help.

Any clues/suggestions would be very helpful to me also, please.