Without seeing actual code, we can only guess. Have you made two consecutive calls to invalidate() [on the same thread] and not received the documented exception?
Are you getting a different session id from getId()? I am guessing you are making a second request, which creates a brand new session. What mechanism(s) are you using for logging in? Your own? Basic? If the latter, your browser will reuse the credentials as long as the browser window is alive. Tim -----Original Message----- From: Chris Gibbons [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 13, 2006 11:33 AM To: users@tomcat.apache.org Subject: HttpSession.invalidate() not working as expected I am trying to invalidate my session by calling HttpSession.invalidate(), the problem I am having is after I log in as a user, then log out, then log back in, the second log in doesn't call any of my authentication methods. On logout I am calling HttpSession.invalidate() which doesn't throw any exceptions. To test whether the invalidate method was actually working I made a second call to HttpSession.invalidate() which according to the API should throw an exception on the call to invalidate an already invalidated method. This second invalidate doesn't throw an exception and I can still call HttpSession.getId() and have it return a valid value. Could someone tell me why the invalidate() method is not really invalidating or a suggestion on a better way to do this? Chris --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]