But Wicket also stores the page map in the session to support back button functionality. If you only change the status, than the user could possibly (depending on how you construct your page) go back after the logout and see the last pages.
This could be a problem on public computers. You could also see a session as representing a user, not a browser. Than, invalidating the session on logout makes perfect sense to me. regards On Sat, Jun 23, 2012 at 9:14 AM, Tom Eugelink <[email protected]> wrote: > On 2012-06-22 16:57, Tom Eugelink wrote: >> >> Anyhow, I've added Wicket Auth/Roles >> (http://wicket.apache.org/learn/projects/authroles.html) as the security >> framework and it is working fine except one thing; logging out. > > > I've found that the login / logout logic is invalidating the session. During > an attempt to setup security in a webapp years back, I found that Tomcat > also does this and I never understood why. The session is a technical > construct that binds requests from the same browser and allows the website > to become coherent over multiple request. It has nothing to do with an > authentication state. Naturally it can be used as a means to administer if a > user is logged in, but there is no reason to trash the session when a user > is logging out; after all, it's still the same brower sending requests. The > session has not changed, the user's status has. > > The security filter I've implemented years back as a result of this > discovery simply changes the logged in state in the current session. If any > attributes need to be cleared when a user logs out, this is easily done by > removing them from the current session (may even by using a special map > store as an attribute in the session). This will prevent the automatic login > I'm experiencing now. I will roll my security filter in to my wicket app. > > > Tom > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
