Hi, Currently when you call a logout method on shiro's Subject, it goes through the securitymanager and for the case of web applications in http session mode it ends up doing httpSession.invalidate().
I am in a situation where I have a library which puts data in HttpSession and at one point it has the intention to log the user out and after logging him out it needs to perform further clean up based on data it stored earlier in the Session. I have a feeling that httpSession.invalidate() is safer and less error prone but I also believe that it is interesting from (shiro) framework perspective to provide a way to set the user's state to "not authenticated" and not invalidating the entire session. Please guide. Regards & thanks Kapil
