Ok. The actual problem I have is that wicket auth keeps logging in
automatically. This is a side effect of a.o. BASIC authentication (not sure if
that is used in this case, but the behavior is similar) which sends the login
credentials with every request, even if you have logged out in the mean time.
To enforce a new login via the login page, one usually places some marker in
the session telling the authenticator class that it should not accept the
current credentials until a valid login page submit was done. But since Wicket
keeps doing things to the session, I'm not able to get this marker to work.
Are there any people using auth and that are able to fully log out?
Tom
On 2012-06-25 13:29, Martin Grigorov wrote:
Hi Tom,
I agree with your vision.
But since Wicket is a framework around the Servlet API we call
HttpSession.invalidate(). This triggers some web container internal
workings and at some point Wicket is called back (see
javax.servlet.http.HttpSessionListener/HttpSessionBindingListener) and
Wicket clears everything that it added to this session.
What happens with this session later is not our business. It may be
teared down or recycled, we really don't care. Next time we need to
store something in the http session we just call:
httpRequest.getSession(true) and use it.
I know you use recent version of Wicket (6.x ?) and there are no
pagemaps since Wicket 1.5.0 but if you find that anything leaks then
it is a bug and it should be fixed.
On Sat, Jun 23, 2012 at 11:31 AM, Tom Eugelink <t...@tbee.org> wrote:
Which means that upon logout, these values should be removed / cleared. A
session does not represent a user, it is a construct to bind request, no
more no less. All other usages are bolted on and should be bolted off. You
don't tear down the house, just because you are moving.
Tom
On 2012-06-23 10:18, Bert wrote:
But Wicket also stores the page map in the session to support back
button functionality. If you only change the status, than the user
could possibly (depending on how you construct your page) go back
after the logout and see the last pages.
This could be a problem on public computers.
You could also see a session as representing a user, not a browser.
Than, invalidating the session on logout makes perfect sense to me.
regards
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org