Log-out: How to do it correctly?
stephen May 16, 2008 12:05 AMI had several problems implementing a clean logout method.
(While I typed this I solved the last of these problems. I am posting this topic anyway, because I really feel there must be an easier/better way. (Also it may be a nice reference.)
My spec calls for a logged-out confirmation page (logged-out.xhtml
).
- At first my "Log out" link was a commandLink, but I had to change that to a plain link. A commandLink failed when the session already had expired anyway. It is actually funny that when you try to log out, you get an error message about not being logged-in. My client (rightfully) considered this a bug. BTW: seamframework.org has exactly the same problem.
- Now that I had a plain link I had to move my logout code (which calls Session.instance().invalidate()) from the commandLink's action to a page action for the logged-out.xhtml. That did not work either because invalidate() only invalidates at the end of the request. However the
logged-out.xhtml
contains a menu with several items that are shown only when the user is logged-in. Those were of course still showing because the session only expired at the end of the request. Gee, ok, I'll just put a redirect there - oops infinite redirection because the page action triggers again and again. Grr, finally I used a virtual pagelog-out.xhtml
which redirects tologged-out.xhtml
.
- Final problem (so far ;-) ): My clients coding guidelines require that the http session gets destroyed on logout. However immediately after invalidating the http session, the display of
logged-out.xhtml
created a new http session on the server. Workaround: Invalidate the session again. I found that putting #{session.invalidate} into a page action does not work - no effect at all, why?. I had to wrap that call into a custom java method. (Which needs to be different from my logout() method, because that returns an outcome that would cause infinite redirection (and besides it also does some logging).
Is it me who is too stupid or does it really have to be that complex?