I see that the session object is stored in the request object (request.getSession). And, I suppose, the methods such as isUserInRole from the request are actually querying the stuff from the session object. So, if the session is gone (invalidated), then there is no authorization info. Does this mean the authorization info is kept in the session object?
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
