session.invalidate() will only work if form based auth is being used. If you're using basic auth then you will need to roll your own logout method that uses a 401 response to convince the browser to forget the login details.
btw - Closing the browser is/was the traditional way of logging out of basic auth. Servlet Spec 2.4 reportedly has a HttpSession.logout() method but I've not looked into it. On Mon, 3 Mar 2003, Ivan Bolcina wrote: > Hello. > I have several web applications running on jetty/jboss. All of them are > secure and require user to login. I have a problem. User gets into one > applications, then he exits. ( I call session.invalidate()) > Then, user goes to another application, he logs in again and logs out again. > BUT, when he enters the first application again, he is not prompted for > username/password. I belive jetty remembers user's data. I hoped thant when > I do session.invalidate(), everything about this user, object bound to > session as well as his credidentials, will be forgoten. This is not the > case. So how to do this? > > Thank you very much for your help, > Ivan > ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user