Thanks for the response -- I didn't realize that Subject.logout() would
remove the remember me cookies.
This behavior surprises me a little bit and leads to a different
question: is there a way to "un-authenticate" a user? It seems it would
valuable to be able to log a user out but still remember them. Am I
missing this in the API or does this capability not currently exist?
Brad
Jeremy Haile wrote:
Hey Brad,
The usual way of forcing JSecurity to "forget" a subject is to call
Subject.logout() - this should remove any remember me cookies as
well. Perhaps you could auto-logout subjects in your development
environment upon first access? You could also just bookmark the
/logout URL and click the bookmark when you start a new development
session.
This would be difficult to do on the server side (i.e. without a web
request from a browser), since it involves actually clearing the
cookie from a user's machine.
Please let me know if you have any ideas about how JSecurity could
make this process easier.
Jeremy
On Jul 31, 2008, at 12:11 PM, Brad Whitaker wrote:
Is it possible to force JSecurity to "forget" a subject that has
previously been remembered?
This is an issue for me only in "development" mode and shouldn't
occur in a production environment. The problem is that I often start
a development session with an empty user database but the browser
comes to the site with a cookie. I end up getting a Principal that I
don't know. I would like to discard the cookie at this point. Is this
possible? Or is there a better way to deal with this issue (other
than clearing the cache on the browser)?
Thanks,
Brad
