Hi!
[EMAIL PROTECTED] wrote: > instance request.getRemoteUser() will still return the same user as > before invalidation.. Yep, that's normal. You have to make a difference between the implicit objects "request" (referring to the actual HTTP-request including full user authentication) and "session". After authentication over HTTP a dedicated user could initiate _several_ sessions doing different things for him. If you want to invalidate an user per session you shouldn't use HTTP authentication but implement an user property in a JavaBean (used with the scope "session"). bestWISHES Ingo -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
