Thanks Martín
When I say "User A leaves the computer" I mean they walk away from the
computer without bothering to close the browser. Imagine they don't
realise the importance of actually logging out of the authenticating
site, have a quick look at another website then walk away from the PC
without closing the browser. The next user by coincidence has an
account with the validating site so their authentication is successful,
but after login they see user A's session data if the session has not
yet timed out. This may seem like a far fetched scenario but for our
application and target market it is a probable scenario (look up sod's law).
Is this the sort of thing you mean by
"Proper logout (beyond session.invalidate()) is also important."??
try {
ServletContext app = servlet.getServletContext();
ServletAuthenticator auth = (ServletAuthenticator)
app.getAttribute("caucho.authenticator");
Principal user = request.getUserPrincipal();
if (user != null) {
auth.logout(request, response, app, user);
if (servlet.getDebug() >= 1) {
servlet.log(" logged out " + user.getName());
}
}
} catch (Exception e) {
servlet.log(e.getMessage(), e);
} finally {
if (session != null) session.invalidate();
return(mapping.findForward("loggedout"));
}
Received on Thu 18 Apr 2002 03:33:39 -0700
This archive was generated by hypermail 2.1.8 : Thu Sep 28 2006 - 20:17:01 PDT