That sounds like it will work for me -- thanks!
Jeremy Haile wrote:
Well, the way JSecurity works an explicit logout removes the "remember
me" cookie. A session timeout will of course not remove the remember
me cookie. So if the user doesn't log out and their session times out
then when they go back to the site they are remembered. However, if
the explicitly log out and return to the site, they will have to
re-authenticate.
If you want to simply un-authenticate them, but not remove the
remember me, you could just invalidate their current HTTP session by
calling HttpSession.invalidate(), but don't call Subject.logout().
Their next request would start a new session which would be
remembered, but not authenticated.
Hope this helps!
Jeremy
On Jul 31, 2008, at 1:21 PM, Brad Whitaker wrote:
Thanks for the response -- I didn't realize that Subject.logout()
would remove the remember me cookies.
This behavior surprises me a little bit and leads to a different
question: is there a way to "un-authenticate" a user? It seems it
would valuable to be able to log a user out but still remember them.
Am I missing this in the API or does this capability not currently
exist?
Brad
Jeremy Haile wrote:
Hey Brad,
The usual way of forcing JSecurity to "forget" a subject is to call
Subject.logout() - this should remove any remember me cookies as
well. Perhaps you could auto-logout subjects in your development
environment upon first access? You could also just bookmark the
/logout URL and click the bookmark when you start a new development
session.
This would be difficult to do on the server side (i.e. without a web
request from a browser), since it involves actually clearing the
cookie from a user's machine.
Please let me know if you have any ideas about how JSecurity could
make this process easier.
Jeremy
On Jul 31, 2008, at 12:11 PM, Brad Whitaker wrote:
Is it possible to force JSecurity to "forget" a subject that has
previously been remembered?
This is an issue for me only in "development" mode and shouldn't
occur in a production environment. The problem is that I often
start a development session with an empty user database but the
browser comes to the site with a cookie. I end up getting a
Principal that I don't know. I would like to discard the cookie at
this point. Is this possible? Or is there a better way to deal with
this issue (other than clearing the cache on the browser)?
Thanks,
Brad
