> > Presumably, you are using CLIENT-CERT as your <auth-method>?
Not , FORM method > >> When I invalidate() a session ( session.invalidate() ) , Tomcat >> doesn't know it and thinks that user is still logged in So, that >> user can get protected pages. Tomcat should return him a login >> window but doesn't. > SSL session != HttpSession > > You need to terminate the SSL session. See a separate thread > "SSLSession invalidate" for a discussion about how this is (not) working. Well, I don't know what I have to terminate I only want to know what do to inform Tomcat that an user logs out ( user clicks a Logout button ) I tried to invalidate SSL session with this code session.invalidate(); org.apache.tomcat.util.net.SSLSessionManager mgr =(org.apache.tomcat.util.net.SSLSessionManager)request.getAttribute("javax.servlet.request.ssl_session_mgr"); mgr.invalidateSession(); response.setHeader("Connection", "close"); but didnt work. does anyone have worked with realm + SSL ? anyone ? Thanks and regards --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org