I wrote a custom login module which I use to authenticate an user against a remote server. I have overridden the login and logout-methods with my own code. Both work correctly.
The only thing I do not unterstand is, why the sessions of my portlets do not get invalidated. If I login to my application, logout and then login again, I notice that the old portlet sessions are still valid (renderRequest.isRequestedSessionIdValid() evaluates to true). A few code lines later, when I try to retrieve an attribute from the session I get an exception that the session is already invalidated (java.lang.IllegalStateException: getAttribute: Session already invalidated).
At the moment, this is very confusing for me because isRequestedSessionIdValid() evaluates to true. After logging out, I would expect that all Portlet Session are invalidated and isRequestedSessionIdValid should evaluate to false. What am I doing wrong? Can anybody explain this behavior to me? Maybe there is something I misunderstood.