Hervé Guidetti wrote:
> I wonder if in spite of reseting all the session variables, just reset
> Turbine variable which are ACL and the user.
> What do you think about that ?
This sure sounds sensible. I just looked into the sources of LogoutUser action,
and as far as I can tell, it looks like it does just that. Look:
--------------------------------------------------------------------------------
// this will cause the acl to be removed from the session
// in the Turbine servlet code.
data.setACL(null);
// Retrieve an anonymous user
data.setUser( UserFactory.getUser() );
data.save();
// in the event that "screen.homepage" or related navigations
// require acl info, we cannot
// wait for Turbine to handle regenerating acl.
data.getSession().removeValue(AccessControlList.SESSION_KEY);
--------------------------------------------------------------------------------
I believe that it makes impossible for an user to continue session (User & ACL
objects) of another, after LogoutUser action is executed. (Jon, or someone who
knows this code, plase comment on that)
Maybe clearing other session variables in Turbine.goGet() could be made optional
(configured by an entry in TR.properties). I think that it would work for you.
Rafal
------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Search: <http://www.mail-archive.com/turbine%40list.working-dogs.com/>
Problems?: [EMAIL PROTECTED]
