On 4/24/05, Yan Hu <[EMAIL PROTECTED]> wrote:
> Hi:
> I came across a couple of articles about logout on the Web. They all do
> something like
> session.removeAttribute("user");
> session.invalidate();
> Can I just use session.invalidate()? Would "user" be destroyed automatically
> when the session is
> invalidated?
Yes, you are technically accurate -- the "user" attribute will get
thrown away, and (if the user attempts to continue and starts a new
session) he or she will appear to not be logged in because the new
session will not have such a user object.
That being said, I personally encourage developers to explicity delete
anything they have put into the session, as a specific case of a
general principle that many of us teach our kids: "clean your bedroom
before you go play." :-). In this particular case, it is important
for developers to understand that registering things in session scope
has scalability and performance impacts -- and that, in nearly every
case, there should be a removeAttribute() statement that corresponds
to the setAttribute() statement that added it. Also, you should
strive to delete session scope objects as quickly as you no longer
need them.
Yes, the container will pick up your toys for you when the session
expires, but depending on this tempts you towards laziness (and, of
course, an exasperated parent :-).
Craig
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
