> A last question : what does precisely the session.invalidate stuff ? > Indeed, in my application, when checking if the user is logged in, I > just check whether an user is in the current session. As such, to > "unlog" my user, I just need to do something like > session.setUser(null). So I wonder what does precisely the invalidate > (and as such whether I really need to do it or not). I checked on the > API already and there is just :"Invalidates this session."
Invalidate 'unbinds' the session from the backing session store. In practice, for default configurations, this means that the HttpSession object that is maintained for the client is invalidated (see HttpSession#invalidate) after the request is done, so that a client starts with a clean slate. Off topic, I think it's good practice to make your login page a stateless page (using a stateless form), so that users can have that page in front of them for hours and then sign in without even being bothered with a session expiry exception. In fact, it's probably good practice to have the whole part of the site where you don't require users to log in implemented as stateless and/ or bookmarkable pages. My 2c. Eelco ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Wicket-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/wicket-user
