> -----Original Message----- > From: Henning Schmiedehausen [mailto:[EMAIL PROTECTED] > Sent: Thursday, March 20, 2003 5:02 AM > To: Quinton McCombs > Cc: Turbine Development List > Subject: Re: Login/Logout & session invalidating > > > > > > > The problem with this idea is that we will lose session pull tools > > since they will be removed before the login action executes. > > > > I suggest that we make Turbine.logoutUser invalidate the > session. We > > could then remove the existing code in Turbine.loginUser() that > > removes all of the data from the session. > > > > Anyone see a problem with this? > > I was thinking about this and now I know why. :-) Consider > the case where you have an application that has > "authenticated" and "non-authenticated" parts. E.g. a portal > site where you can access information put need to log in when > you want to post. It might be possible that a user starts a > (servlet) session, browses for a while, then logs in, posts > some articles and logs out again. Currently, the next > requests would stay in the same servlet session. Your > proposal would start a new session right at this moment. I'm > not sure if there are not applications that rely on the fact > that you can log out but stay in the same servlet session.
We are going to have to trash the session at one point or another. This can either be during login or logout. To me, it makes the most sense at logout. I can make good arguments either way though so I guess I am neutral on where to do it. Anyone else care to chime in? > Regards > Henning > > -- > Dipl.-Inf. (Univ.) Henning P. Schmiedehausen INTERMETA GmbH > [EMAIL PROTECTED] +49 9131 50 654 0 http://www.intermeta.de/ > > Java, perl, Solaris, Linux, xSP Consulting, Web Services > freelance consultant -- Jakarta Turbine Development -- hero for hire > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
