> > I wonder if in spite of reseting all the session variables, just reset
> > Turbine variable which are ACL and the user.
> > What do you think about that ?
>
> This sure sounds sensible. I just looked into the sources of LogoutUser
action,
> and as far as I can tell, it looks like it does just that. Look:
>
> --------------------------------------------------------------------------
------
> // this will cause the acl to be removed from the session
> // in the Turbine servlet code.
> data.setACL(null);
> // Retrieve an anonymous user
> data.setUser( UserFactory.getUser() );
> data.save();
>
> // in the event that "screen.homepage" or related navigations
> // require acl info, we cannot
> // wait for Turbine to handle regenerating acl.
> data.getSession().removeValue(AccessControlList.SESSION_KEY);
> --------------------------------------------------------------------------
------
>
> I believe that it makes impossible for an user to continue session (User &
ACL
> objects) of another, after LogoutUser action is executed. (Jon, or someone
who
> knows this code, plase comment on that)
>
> Maybe clearing other session variables in Turbine.goGet() could be made
optional
> (configured by an entry in TR.properties). I think that it would work for
you.
>
> Rafal
>
>
So, what do you think about reseting just the Tubine session variable (User
and ACL) in Turbine.doGet(..) in spite of reseting all the session variable
?
Herv�
------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Search: <http://www.mail-archive.com/turbine%40list.working-dogs.com/>
Problems?: [EMAIL PROTECTED]
