Hi Dmitry,
Dmitry Mozheyko wrote On 08/03/06 04:05,:
>Hello all.
>I try to code logout servlet but request.getSession().invalidate() not works: browser "remember" old entered principal.
>I read some blogs and insert this code before session-invalidating:
> response.setHeader("Cache-Control","no-cache,post-check=0,pre-check=0,no-store,private");
> response.setDateHeader("Expires", new Date().getTime() - 1);
> response.setHeader("Pragma","no-cache");
>but the result has not changed.
>
>
the just promoted b11 contains a fix for a somewhat related issue:
https://glassfish.dev.java.net/issues/show_bug.cgi?id=834
("Sessions not invalidated on Redeploy")
However, this issue has not applied to the case where a session is being
explicitly invalidated (by calling session.invalidate()), which is what
you are
doing: In this case, all interested session listeners (including SSO)
have always
been notified of the session being destroyed.
Also notice that even though a session has been invalidated, its
JSESSIONID will still be returned to the client in a response cookie
(this is because the response cookie is added at the time the session
is created), but a subsequent client request carrying this cookie will
not be able to resume the session, since the session was purged from
SSO and the webapp's session manager. We're working on an optimization
that will delay the addition of the response cookie to the time the
response is committed, and add the cookie only if the session is still
valid.
Jan
>---------------------------------------------------------------------
>To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
>For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>
>
>