[
https://issues.apache.org/jira/browse/SHIRO-454?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17079178#comment-17079178
]
Benjamin Marwell commented on SHIRO-454:
----------------------------------------
hi [~thecoolace] - just overwrite the cookie containing {{JSESSIONID}}. That
should suffice. But why would you want to do this?
> Provide a way to logout a user without destroying the http session
> ------------------------------------------------------------------
>
> Key: SHIRO-454
> URL: https://issues.apache.org/jira/browse/SHIRO-454
> Project: Shiro
> Issue Type: Improvement
> Components: Authentication (log-in), Session Management
> Affects Versions: 1.2.1
> Reporter: Bla Bla
> Priority: Major
>
> I am using Shiro together with Vaadin, but the following should be true for
> all GWT based rich clients.
> If you are using these kind of frameworks, you mostly want to handle login
> and logout within the application itself. If this is the case, you absolutely
> don't want that a logout destroys the http session. Because that will alert
> the user that the session is gone and will force the user to reload the whole
> application and starting from scratch.
> Please: Just give me the possibility to do a user logout without ruining the
> http session. As a workaround I inherited from DefaultWebSecurityManager and
> overwrote the logout method to do everything but the http session
> invalidation. But that's a lot of cut and paste code and it could be easily
> provided by introducing a configurable setting or parameter for the logout.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
