Hi, I seem to be having a problem with session.invalidate(). I'm using this for users to log out of my web site but it seems to take two attemps before the user is properly logged out! I am using JDBCRealms for authentication BTW. I have set up a simple four page web site: test/jsp/index.jsp ---- front page <% response.setHeader("Cache-Control","no-cache"); //HTTP 1.1 response.setHeader("Pragma","no-cache"); //HTTP 1.0 response.setDateHeader ("Expires", 0); //prevents caching at the proxy server %> <html> <body> <%=request.toString()%><br> <%=request.getSession (false)%><br> <%=request.getRemoteUser()%><br> <%=request.getUserPrincipal()%><br> <h2><a href="protected/index.jsp">Login</a><h2> </body> </html> test/jsp/protected/index.jsp --- protected page <% response.setHeader("Cache-Control","no-cache"); //HTTP 1.1 response.setHeader("Pragma","no-cache"); //HTTP 1.0 response.setDateHeader ("Expires", 0); //prevents caching at the proxy server %> <html> <body> <%=request.toString()%><br> <%=request.getSession (false)%><br> <h2>you are currently logged in as <%= request.getRemoteUser() %></h2> <h3><a href="logout.jsp">Logout</a></h3> </body> </html> test/jsp/protected/logout.jsp --- logout page <% response.setHeader("Cache-Control","no-cache"); //HTTP 1.1 response.setHeader("Pragma","no-cache"); //HTTP 1.0 response.setDateHeader ("Expires", 0); //prevents caching at the proxy server %> <html> <body> <%=request.toString()%><br> <%=request.getSession (false)%><br> <%=request.getRemoteUser()%><br> <%=request.getUserPrincipal()%><br> <% session.invalidate (); %> <%=request.getSession (false)%><br> <%=request.toString()%><br> <%=request.getRemoteUser()%><br> <%=request.getUserPrincipal()%><br> <a href="../index.jsp">home</a>. </body> </html> test/jsp/login/login.jsp --- login page used by FORM based authentication. <html> <body> <h1>Login page </h1> <form method="POST" action="j_security_check" > Username: <input type="text" name="j_username"><br> Password: <input type="password" name="j_password"><br> <br> <input type="submit" value="login" name="j_security_check"> </form> </body> </html> The problem occurs like this: The first time around the request for protected/index.jsp is detected and you have to log in. >From there, access the logout page which does a <% session.invalidate();%>. Then back to jsp/index.jsp, try and access the protected page from here ------ straight in as still authenticated. Accessing the log out page again, actually logs out this time! Is this a known problem? Any possible work arounds? Thanks, Sam. PS. This work fine on TC3.2.1 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]