Søren Blidorf wrote:
In my webapp I use session.invalidate().
It works fine in IE, but not in Opera.
I get no error but the user is still logged in.
Any idears?
A guess, and a way to check it :
The guess is that a side-effect of session.invalidate() is that in the
next response to the browser, the JSESSIONID cookie should be deleted.
The check :
- get the Fiddler2 add-on for IE and install it
- get a similar add-on for Opera and install it
(These add-ons allow you to see which HTTP headers the server is sending
to the browser; as a more complex alternative, use Wireshark or so).
Then call up the respective browser, trigger the add-on, and start and
stop a session. At the start of a session, you should see a response
from the server including a Set-Cookie header, for a JSESSIONID cookie.
In the last response from the server (after your logout), there should
be a Set-Cookie header, which cancels the JSESSIONID cookie (probably by
setting the expiration to "now").
This HTTP header should be identical in both cases.
If it is, and it works in one case and not the other, then it is either
a browser bug, or the Set-Cookie header itself which is not entirely
correct (unlikely, I guess).
By "it works", I mean that the result should be to delete the cookie in
the browser. If the cookie is deleted, then at the next request to the
server, no JSESSIONID cookie is sent, and Tomcat will consider this as a
new session.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
