Kalle,
Thank you so much for the quick reply, based on which we have done the
following:
1. We surveyed several Tapestry sites (including the hotelbooking demo app)
and confirmed that leaving the cookie after session invalidation is
expected.
2. We then double confirmed that the leftover cookie is indeed the cause of
server-side exception reporting -- as soon as the cookie is manually
removed or re-issued by the server (as the result of a persistent page
field, etc.), the server stops complaining.
3. We then decided that the issue was with the client's server environment,
which ran Jetty 6, and confirmed with the client that it was an arbitrary
choice. They provided a new Jetty 9 environment, under which we deployed
the application, and the exceptions went away!
So all is good! Thanks Kalle.
Best,
Harry
On Mon, Nov 3, 2014 at 12:42 PM, Kalle Korhonen <kalle.o.korho...@gmail.com>
wrote:
> On Sun, Nov 2, 2014 at 4:41 PM, Harry Zhou <superha...@gmail.com> wrote:
>
> > The user is indeed logged out, and the session is indeed invalidated.
> > Everything seems to work fine.
> > 3. The Issue
> > Upon closer inspection, I noticed that the session cookie created by user
> > during login is still in the browser after logout. The browser
> repeatedly
> > requests the session with the JSESSIONID: "g3xfcskjnvf" from the server,
> > which has already been invalidated.
> >
> > Sure enough, the server stderrout log shows the following (trimmed for
> > clarity) for each request made by the user after logout:
> >
> > INFO org.codehaus.wadi.core.contextualiser.HybridRelocater - Unknown
> > session [g3xfcskjnvf]
> > ERROR org.codehaus.wadi.core.manager.StandardManager - Could not acquire
> > session [g3xfcskjnvf]
> > Is it normal that the session cookie is not removed (by setting maxAge to
> > 0, etc.) after the session is invalidated on the server side? If not,
> did
> > I make a mistake in my way of logging the user out that causes the cookie
> > to remain?
> >
> > First of all, requesting an invalid session should not have been logged
> as
> an error - it's a completely normal for a web application - a WARN or
> simply DEBUG would have suited much better (you could open an issue with
> Wadi on that). Anyway, tapestry-security doesn't explicitly remove
> JSESSIONID cookie on logout. It just invalidates the session and removes
> the rememberMe cookie. I didn't see that you are manually removing the
> JSESSIONID cookie anywhere in your code. If you are and it doesn't work,
> the headers must be rewritten after the fact. Whether it should be done
> automatically by the servlet implementation, I'm actually not sure if the
> spec says anything about it. We could check that out and if the behavior is
> left open, it'd be simple to add that as an enhancement to
> tapestry-security.
>
> Kalle
>
--
Best Regards
Harry Zhou
