6 Replies Latest reply on May 3, 2005 4:20 PM by Scott Stark

    Problem with logout with FORM based authentication and sessi


      Hi to all.
      I've read in the forum that when any web application has FORM based security, the way you can implement logout is making session.invalidate()
      I don't have problems when I request a resource under security protection. The form is showed to me and I validate correctly.
      The issue is that in my application I have a logout function to remove the userPrincipal stored in the request.
      The implementation of this logout function is session.invalidate(). But, after invalidate the session, the userPrincipal is still in the request.
      For example, I can see it with this code:

      System.out.println("The user is in the request after logging out: ");
      System.out.println( request.getUserPrincipal()!=null?"SI":"NO");

      And I can see in the console the answer "YES".

      Anybody can help me, please?
      Thanks a lot in advance

      P.S.: I'm using JBoss 4.0.1
      P.S.: If I use two consecutive times the logout function, then the userPrincipal does not exists. This is, to effectively logout the user, I have to click twice in the logout place of the web application. Of course, this is a not desired behaviour.But, why session.invalidate() works the second time and doesn't work the first time I call it?