You cannot logout by flushing the cache! It's just a cache!
What happens is that the user's security credentials are still associated with his session. That's why you can "login" without username/password.
To logout a web user, simply remove the session:
Tried that also.
If you push the log-out button, then it calls the
flush method and it does : request.getSession().invalidate(); .
Then it redirects you to the main screen. Then if I push the log-in button again.. it just goes on and does not show me the pop-up-box asking for the username and password.
So somehow it still uses the data.
BASIC authentication i guess?