This should be a common problem in the portal world. I have four portlets in a portal page that are actually apps hosted in four different containers, EWS, EAP, etc...., each with it's own session to that container managed via a JSESSIONID cookie, all named, of course, jsessionid, but with custom cookie paths to enable apache to properly route requests and apply sticky-session attributes.

Problem is how to provide a single logout button that will invalidate/delete the sessions (jsessionid) cookies of each app in the portal page.

We do not want users to have to logout of each app or close their browser. Problem today is the global logout (implemented as it's own little app) can only log itself out, the sessions of the portal's apps remain intact on the respective servers. Another user comes along (the are kiosk machines in the field used by many different users) and they get the user before them's sessions instead of new ones, becasue the browser is still maintaining the old session cookies to each app and the sessions are still active on the server-side?

We can alter the default name of the session cookie on each server host to something other than jsessionid and do away with custom cookie paths, but Tomcat does not recommend doing that as it is a violation of the servlet spec?

Any other ideas out there?