Ionel Gardais wrote:
Hi,
I am using the invalidate() method to force logout of the logged client but even after a call to this method, clients can navigate to a secured content without beeing prompt for their password.
Do you know what the problem is and/or how to solve it ?
This only works if you are doing your own authentication (such as with filters etc) by storing authenticated state in the session.
If you use container-managed authentication, you cannot invalidate the user's session -- IIRC the best you can do is adjust the session timeout value.
Erik
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
