I am happy to confirm the following: *[1]* this "bug" report is erroneous. Subject::logout is enough to invalidate the HTTP session *[2]* the number of active HTTP sessions reported by JBoss did not decrease due to a re-direction after the logout. A new HTTP session was created after the redirection (but the old one was indeed invalidated) which is why the count didn't go down. *[3]* the performance improvement we witnessed after applying the patch was unrelated to the patch.
Apologies for the false alarm. -- View this message in context: http://shiro-user.582556.n2.nabble.com/Subject-logout-not-invalidating-session-in-container-managed-sessions-tp7578234p7578270.html Sent from the Shiro User mailing list archive at Nabble.com.
