Ok. I also have a logout page, call signout in the before-render, and then use
the exception thing to immediately forward to another page. Maybe actually
showing the logout page is the trick (better a page and autologin all the time).
What do you do on the logout page to force the logout?
Tom
On 2012-06-25 13:58, Stefan Moises wrote:
Hi Tom,
we are using wicket auth and we can only logout if we use a dedicated Signout
page (with template) - if we only logout (and e.g. try to forward right to the
homepage with setResponsePage()) it doesn't work and the user always stays
logged in as you describe it.
We'd love to get rid of the additional Signout page though (because it only says
"Good bye" and is rather annoying for regular users I think ...) :)
Stefan
Am 25.06.2012 13:38, schrieb Tom Eugelink:
Ok. The actual problem I have is that wicket auth keeps logging in
automatically. This is a side effect of a.o. BASIC authentication (not sure if
that is used in this case, but the behavior is similar) which sends the login
credentials with every request, even if you have logged out in the mean time.
To enforce a new login via the login page, one usually places some marker in
the session telling the authenticator class that it should not accept the
current credentials until a valid login page submit was done. But since Wicket
keeps doing things to the session, I'm not able to get this marker to work.
Are there any people using auth and that are able to fully log out?
Tom
On 2012-06-25 13:29, Martin Grigorov wrote:
Hi Tom,
I agree with your vision.
But since Wicket is a framework around the Servlet API we call
HttpSession.invalidate(). This triggers some web container internal
workings and at some point Wicket is called back (see
javax.servlet.http.HttpSessionListener/HttpSessionBindingListener) and
Wicket clears everything that it added to this session.
What happens with this session later is not our business. It may be
teared down or recycled, we really don't care. Next time we need to
store something in the http session we just call:
httpRequest.getSession(true) and use it.
I know you use recent version of Wicket (6.x ?) and there are no
pagemaps since Wicket 1.5.0 but if you find that anything leaks then
it is a bug and it should be fixed.
On Sat, Jun 23, 2012 at 11:31 AM, Tom Eugelink <t...@tbee.org> wrote:
Which means that upon logout, these values should be removed / cleared. A
session does not represent a user, it is a construct to bind request, no
more no less. All other usages are bolted on and should be bolted off. You
don't tear down the house, just because you are moving.
Tom
On 2012-06-23 10:18, Bert wrote:
But Wicket also stores the page map in the session to support back
button functionality. If you only change the status, than the user
could possibly (depending on how you construct your page) go back
after the logout and see the last pages.
This could be a problem on public computers.
You could also see a session as representing a user, not a browser.
Than, invalidating the session on logout makes perfect sense to me.
regards
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
