Are you using HTTP BASIC authentication? If you get a login dialog box, as opposed to a login web page, you are probably using HTTP BASIC authentication. If so, the browser remembers the login and automatically sends it to the app with each request, which will log the user in again if they revisit a page after logging out.
FORM-based authentication does not have this issue. So one resolution would be to switch to form-based authentication. To stay with BASIC, I think you could delete/expire the auth cookie as part of the logout action. I haven't tried this before, but it seems like it might work. Tell us more about your authentication system and we can help you find a solution to the problem. -Max On Mon, 2005-03-07 at 16:44 -0500, David Johnson wrote: > hi all > > have a logoff action, and inside it I do the following. > > // Clean up the session if there is one > HttpSession session = request.getSession(); > session.invalidate(); > > When I watch what's happening in the manager application (I'm using > Tomcat) the number of sessions does not decrease, and I can back up in > the browser and call actions, all of which have code to check for a > valid session.. > > This raises a question.. what's the best way in my web-app to make > sure the user is valid? should I check in **every** action? > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
