>
> Presumably, you are using CLIENT-CERT as your <auth-method>?
Not , FORM method
>
>> When I invalidate() a session ( session.invalidate() ) , Tomcat
>> doesn't know it and thinks that user is still logged in So, that
>> user can get protected pages. Tomcat should return him a login
>> window but doesn't.
> SSL session != HttpSession
>
> You need to terminate the SSL session. See a separate thread
> "SSLSession invalidate" for a discussion about how this is (not) working.
Well, I don't know what I have to terminate
I only want to know what do to inform Tomcat that an user logs out (
user clicks a Logout button )
I tried to invalidate SSL session with this code
session.invalidate();
org.apache.tomcat.util.net.SSLSessionManager mgr
=(org.apache.tomcat.util.net.SSLSessionManager)request.getAttribute("javax.servlet.request.ssl_session_mgr");
mgr.invalidateSession();
response.setHeader("Connection", "close");
but didnt work.
does anyone have worked with realm + SSL ? anyone ?
Thanks and regards
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
