Hi Kapil, You can perform 'cleanup' logic during logout by implementing an AuthenticationListener. The listeners are called before session.invalidate() is called, so the session will still be accessible during the listener notification.
I don't think a Subject's session should ever retain data/authentication status after logout. That would be very odd. - Les On Thu, Dec 3, 2009 at 2:32 PM, Kapil Sachdeva <[email protected]> wrote: > Hi, > Currently when you call a logout method on shiro's Subject, it goes through > the securitymanager and for the case of web applications in http session > mode it ends up doing httpSession.invalidate(). > I am in a situation where I have a library which puts data in HttpSession > and at one point it has the intention to log the user out and after logging > him out it needs to perform further clean up based on data it stored earlier > in the Session. > I have a feeling that httpSession.invalidate() is safer and less error prone > but I also believe that it is interesting from (shiro) framework perspective > to provide a way to set the user's state to "not authenticated" and not > invalidating the entire session. > Please guide. > Regards & thanks > Kapil >
