All of that only gets the session out of the session registry. To invalidate a session you call session.invalidate(). Eventually your servlet container will notify the HttpSessionEventPublisher that a session was destroyed. The HttpSessionEventPublisher will then fire the HttpSessionDestroyedEvent into the Spring ApplicationContext. The ApplicationContext will pass that event along to all instance of the Spring ApplicationListener interface. The SessionRegistryImpl is an implementor of that interface; it will handle event by internally calling removeSessionInformation(sessionId).
I hope that clears things up for you. -Ray On 8/23/07, ShiLei <[EMAIL PROTECTED]> wrote: > ok, the way to invalidate a session by sessionid should be following > > add HttpSessionEventPublisher > > add ConcurrentSessionFilter into filter chain > > invoke method > SessionRegistryImpl.getSessionInformation(String > sessionId).expireNow() > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Home: http://acegisecurity.org > Acegisecurity-developer mailing list > Acegisecurity-developer@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer > > ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer