> When a session times out, my apps successfully redirect the
> user to the login form and the user is successfully
> authenticated.
By "session times out", are you referring to some internal application time out, or the container based session timeout?
In theory, once the session times out (container timeout) "you" shouldn't have to redirect anyone to anything, the container should be doing that automagically.
If it's an application timeout, are you invalidating the session? Invalidating a session seems to be a good way to destroy the authentication and "log out".
[Message sent by forum member 'whartung' (whartung)]
http://forums.java.net/jive/thread.jspa?messageID=299476