5 Replies Latest reply on Jun 6, 2008 9:17 PM by monkeyden

    Log-out: How to do it correctly?

    stephen

      I had several problems implementing a clean logout method.
      (While I typed this I solved the last of these problems. I am posting this topic anyway, because I really feel there must be an easier/better way. (Also it may be a nice reference.)


      My spec calls for a logged-out confirmation page (logged-out.xhtml).




      • At first my "Log out" link was a commandLink, but I had to change that to a plain link. A commandLink failed when the session already had expired anyway. It is actually funny that when you try to log out, you get an error message about not being logged-in. My client (rightfully) considered this a bug. BTW: seamframework.org has exactly the same problem.




      • Now that I had a plain link I had to move my logout code (which calls Session.instance().invalidate()) from the commandLink's action to a page action for the logged-out.xhtml. That did not work either because invalidate() only invalidates at the end of the request. However the  logged-out.xhtml contains a menu with several items that are shown only when the user is logged-in. Those were of course still showing because the session only expired at the end of the request. Gee, ok, I'll just put a redirect there - oops infinite redirection because the page action triggers again and again. Grr, finally I used a virtual page log-out.xhtml which redirects to logged-out.xhtml.





      • Final problem (so far ;-) ): My clients coding guidelines require that the http session gets destroyed on logout. However immediately after invalidating the http session, the display of logged-out.xhtml created a new http session on the server. Workaround: Invalidate the session again. I found that putting #{session.invalidate} into a page action does not work - no effect at all, why?. I had to wrap that call into a custom java method. (Which needs to be different from my logout() method, because that returns an outcome that would cause infinite redirection (and besides it also does some logging).



      Is it me who is too stupid or does it really have to be that complex?

        • 1. Re: Log-out: How to do it correctly?
          necromancer

          what about invoke you own method logout where you can invoke Identity method.logout.


          see:
          http://myfreecode.blogspot.com/2008/06/jboss-seam-and-logout-eng.html

          • 2. Re: Log-out: How to do it correctly?
            stephen

            You more or less completely missed the point.
            If you read carefully what I wrote, you'll see that I already done that and that it does not solve any of the problems I mentioned.


            1) Making the log-out link working even if the session has already expired.


            2) First logging out and only then showing a logged-out confirmation page.


            3) Destroying the HTTP session when you log out.

            • 3. Re: Log-out: How to do it correctly?
              necromancer

              1) Making the log-out link working even if the session has already expired.


              in you own method you can ckeck if session is valid


              2) First logging out and only then showing a logged-out confirmation page.


              in you own method you can first send iser to another page and then if user clikc again (read some parameter) do logout


              3) Destroying the HTTP session when you log out.


              you can call session.invalidate() in you OWN method
              any else promlems?


              BTW i see little more problem if i set remebmer-me and then do logout user logout only for 1 request and then again do autologin

              • 4. Re: Log-out: How to do it correctly?
                stephen

                First, let me say that I already gave working solutions to all these issue. I was just asking if someone with a better understanding of Seam has a simpler idea.



                1) Making the log-out link working even if the session has already expired.
                
                in you own method you can ckeck if session is valid 


                You can't call any method if the session has already expired. First thing that JSF does when a postback request comes in, it tries to restore the view. That will simply fail if the session is already invalid. (That said, I am not sure if it would work with client side state saving.)



                2) First logging out and only then showing a logged-out confirmation page.
                
                in you own method you can first send iser to another page and then if user clikc again (read some parameter) do logout
                



                The user should not have to click anything else, but should just see a a confirmation page You are logged-out. Here are a few links where you could go next, or log-in again.. The issue is that log-out should happen before showing the page, but usually Seam only invalidates the session after the request.



                3) Destroying the HTTP session when you log out.
                
                you can call session.invalidate() in you OWN method any else promlems? 



                The problem is that I had to call logout twice. First before showing the confirmation page, then again when the confirmation page was shown, because displaying the confirmation page automatically creates a new http session. (On the second call using session.invalidate() rather than identity.logout() is enough.)


                • 5. Re: Log-out: How to do it correctly?
                  monkeyden

                  Have you tired to simply use an h:outputLink to the logout.xhtml page, and use a page action for that view-id in pages.xml?



                  <page view-id="/logout.xhtml">
                      <action expression="#{identity.logout}"/>
                  </page>