John, > When I call request.getUserPrincipal(); I still get the Principal back > and I can still call request.isUserInRole( "Foo" ); and get a valid > response for the currently logged in user.
Are you checking those values during the same request in which you killed the session? It's possible that the request needs to be recycled (or a new session created) before getUserPrincipal and isUserInRole will return different values. Just a thought? -chris > > John > >>> From: John McPeek [mailto:[EMAIL PROTECTED] Subject: FORM based >>> authentication LOGOUT >>> >>> I have tried to invalidate the session and get a new one. >>> No Dice. >>> >> >> When you say "No Dice", what actually happens? >> >> All the admin app for Tomcat does is the following, which seems to work: >> >> HttpSession session = request.getSession(); >> session.invalidate(); >> session = request.getSession(true); >> >> - Chuck >> >> >> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY >> MATERIAL and is thus for use only by the intended recipient. If you >> received this in error, please contact the sender and delete the e-mail >> and its attachments from all computers. >> >> --------------------------------------------------------------------- >> To start a new topic, e-mail: users@tomcat.apache.org >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> >> > >
signature.asc
Description: OpenPGP digital signature
