Re: jsecurity-user: is it possible to force a discard a "remember me" cookie?

Thu, 31 Jul 2008 10:31:56 -0700

Well, the way JSecurity works an explicit logout removes the "remember me" cookie. A session timeout will of course not remove the remember me cookie. So if the user doesn't log out and their session times out then when they go back to the site they are remembered. However, if the explicitly log out and return to the site, they will have to re- authenticate.
If you want to simply un-authenticate them, but not remove the remember me, you could just invalidate their current HTTP session by calling HttpSession.invalidate(), but don't call Subject.logout(). Their next request would start a new session which would be remembered, but not authenticated. 

Hope this helps!

Jeremy

On Jul 31, 2008, at 1:21 PM, Brad Whitaker wrote:


Thanks for the response -- I didn't realize that Subject.logout()  
would remove the remember me cookies.



This behavior surprises me a little bit and leads to a different  
question: is there a way to "un-authenticate" a user? It seems it  
would valuable to be able to log a user out but still remember them.  
Am I missing this in the API or does this capability not currently  
exist?


Brad


Jeremy Haile wrote:

Hey Brad,


The usual way of forcing JSecurity to "forget" a subject is to call  
Subject.logout() - this should remove any remember me cookies as  
well.  Perhaps you could auto-logout subjects in your development  
environment upon first access?  You could also just bookmark the / 
logout URL and click the bookmark when you start a new development  
session.



This would be difficult to do on the server side (i.e. without a  
web request from a browser), since it involves actually clearing  
the cookie from a user's machine.



Please let me know if you have any ideas about how JSecurity could  
make this process easier.


Jeremy


On Jul 31, 2008, at 12:11 PM, Brad Whitaker wrote:


Is it possible to force JSecurity to "forget" a subject that has  
previously been remembered?



This is an issue for me only in "development" mode and shouldn't  
occur in a production environment. The problem is that I often  
start a development session with an empty user database but the  
browser comes to the site with a cookie. I end up getting a  
Principal that I don't know. I would like to discard the cookie at  
this point. Is this possible? Or is there a better way to deal  
with this issue (other than clearing the cache on the browser)?


Thanks,

Brad





























					Reply via email to