oops meant to send this to the list as well.
---------- Forwarded message ---------- From: David Johnson <[EMAIL PROTECTED]> Date: Tue, 8 Mar 2005 09:15:52 -0500 Subject: Re: session.invaludate(); not working in LogoffAction To: Max Cooper <[EMAIL PROTECTED]> Well, it's interesting actually. What I have is a simple login screen that validates login and password against a database. the FINAL version of this application will have to validate against my client's SSO (which I at this point know nothing about) So, I'm thinking that for now, I'll just use the DB validation, then put the UserID in the session scope, then check for it in in every action class. The logoutAction will null out the userID... am I over simplifying? On Mon, 07 Mar 2005 17:12:38 -0800, Max Cooper <[EMAIL PROTECTED]> wrote: > Are you using HTTP BASIC authentication? If you get a login dialog box, > as opposed to a login web page, you are probably using HTTP BASIC > authentication. If so, the browser remembers the login and automatically > sends it to the app with each request, which will log the user in again > if they revisit a page after logging out. > > FORM-based authentication does not have this issue. So one resolution > would be to switch to form-based authentication. > > To stay with BASIC, I think you could delete/expire the auth cookie as > part of the logout action. I haven't tried this before, but it seems > like it might work. > > Tell us more about your authentication system and we can help you find a > solution to the problem. > > -Max > > On Mon, 2005-03-07 at 16:44 -0500, David Johnson wrote: > > hi all > > > > have a logoff action, and inside it I do the following. > > > > // Clean up the session if there is one > > HttpSession session = request.getSession(); > > session.invalidate(); > > > > When I watch what's happening in the manager application (I'm using > > Tomcat) the number of sessions does not decrease, and I can back up in > > the browser and call actions, all of which have code to check for a > > valid session.. > > > > This raises a question.. what's the best way in my web-app to make > > sure the user is valid? should I check in **every** action? > > > > -- -Dave [EMAIL PROTECTED] -- -Dave [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
