hi all have a logoff action, and inside it I do the following.
// Clean up the session if there is one HttpSession session = request.getSession(); session.invalidate(); When I watch what's happening in the manager application (I'm using Tomcat) the number of sessions does not decrease, and I can back up in the browser and call actions, all of which have code to check for a valid session.. This raises a question.. what's the best way in my web-app to make sure the user is valid? should I check in **every** action? -- -Dave [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]