"juggl" wrote: I am using jboss-3.2.1_tomcat-4.1.24 and have set up SSO according to info from b. stansberry.
It seems to me that there is no way to actually logout a user. If I do a session.invalidate only the current session is invalidated but the sso id and the other associated sessions are still available.
From what I have seen from servlet spec 2.4 there is a new method logout which seems to be exactly for the purpose of finishing all sessions.
