> -----Original Message----- > From: Quinton McCombs > Sent: Wednesday, March 19, 2003 4:30 PM > To: [EMAIL PROTECTED] > Subject: Login/Logout & session invalidating > > > In Turbine.loginUser() there is a comment about the need to > remove all attributes from the session. This is because if > the login fails, it would be possible for the user to > continue as the last user that was logged in. I am going to > assume this is for the case where someone logs out and then > another user logs in from the same browser before the session > timesout. > > The problem with this idea is that we will lose session pull > tools since they will be removed before the login action executes. > > I suggest that we make Turbine.logoutUser invalidate the > session. We could then remove the existing code in > Turbine.loginUser() that removes all of the data from the session. > > Anyone see a problem with this?
I have made these changes locally and they seem to work without a problem. The login action also has to be changed. The first thing that it does to check to see if the user object is in the session. If it is, it simply returns. The comments in the action say it does that to prevent the action from being called twice. After removing it, it was not called twice... Must have been related to an old bug. Anyway, if no one objects to these changes by the end of tomorrow, I will commit them. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
