On 2012-06-22 16:57, Tom Eugelink wrote:
Anyhow, I've added Wicket Auth/Roles (http://wicket.apache.org/learn/projects/authroles.html) as the security framework and it is working fine except one thing; logging out.
I've found that the login / logout logic is invalidating the session. During an attempt to setup security in a webapp years back, I found that Tomcat also does this and I never understood why. The session is a technical construct that binds requests from the same browser and allows the website to become coherent over multiple request. It has nothing to do with an authentication state. Naturally it can be used as a means to administer if a user is logged in, but there is no reason to trash the session when a user is logging out; after all, it's still the same brower sending requests. The session has not changed, the user's status has. The security filter I've implemented years back as a result of this discovery simply changes the logged in state in the current session. If any attributes need to be cleared when a user logs out, this is easily done by removing them from the current session (may even by using a special map store as an attribute in the session). This will prevent the automatic login I'm experiencing now. I will roll my security filter in to my wicket app. Tom --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org