Martin the problem is that even when you invalidat the session... the
browser itself still knows that the user is cool...
So TC will send it a new session ID and it will return the info without
even asking the user to logon as such...
Please indicate the part of the Tomcat code which makes the above
behavior happen. I quote from the Servlet 2.4 spec.
"If the user is authenticated using form login and has created an HTTP
session, the timeout or invalidation of that sessions leads to the user
being logged out in the sense that subsequent requests must be
re-authenticated." (SRV.12.5.3.1 Login Form Notes)
so I don't think what you say is correct.
Even when a user opens a new page in the browser... it knows they
"still" cool
Until the browser is closed they logged on ;)
And there is no direct "the browser is gone event"... browsers are
stateless yada yada
This isn't actually correct. Invalidating the session on the server
means that the browser's record of the session is as though the session
never existed. Tomcat will no longer 'associate' session state with the
session Id provided by the browser and all the state in the session is
lost (unless persisted by an application.)
request.getRemoteUser() will return null because the browser and server
can no longer agree on a sessionID, this is as other contributors have
said the 'logged out' state.
The standard servlet authentication mechanisms will redirect any
furtheraccess to protected pages to the selected login mechanism as soon
as the session is invalidated.
if request.getRemoteUser() has the users name... they on... you dont
know when they off
but you can track the user... either you have that in every page and if
you get a name you record time page url...
or you can stick that in a filter... which sits in front of all your
pages, so you dont have to doctor every page on a site...
You know when they in... you dont know when they gone..
It is true that unless you have some javascript code which specifically
generates an event to say that the browser is logged out AND the network
connection is still valid, you don't actually know that the browser has
'gone'. However, you can easily generate a session timeout event.
I have actually implemented user state logging (detect log in event,
detect navigation events and detect either manual logout or session
timeout and it works fine. It is driven entirely from looking at the
state of 'getRemoteUser' and the session timeout event.
Regards
Alan Chaney
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
