Hi Everyone!
I am developing an application using Tapestry 5.4-beta-22
Tapestry-Security 0.6.2. The Tapestry framework and the Tapestry-Security
module have made my life a lot easier, and for that I am really grateful.
I am writing to seek your generous input on an issue regarding the session
cookie generated by tapestry-security login, which seems to linger after
the session itself has been invalidated as a result of logout.
1. A user performs login and a corresponding session is created:
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(userName, password);
token.setRememberMe(false);
subject.login(token);
In the browser, a JSESSIONID cookie with the value: g3xfcskjnvf is created,
with maxAge: Session.
So far so good.
2. The user performs log out:
try {
SecurityUtils.getSubject().logout();
// I believe the if block below is no longer necessary in Tapestry 5.4,
// but kept it just in case. "request" is an injected instance of the
Tapestry
// Request service.
if (request.getSession(false) != null) {
request.getSession(false).invalidate();
} catch (Exception e) {};
The user is indeed logged out, and the session is indeed invalidated.
Everything seems to work fine.
3. The Issue
Upon closer inspection, I noticed that the session cookie created by user
during login is still in the browser after logout. The browser repeatedly
requests the session with the JSESSIONID: "g3xfcskjnvf" from the server,
which has already been invalidated.
Sure enough, the server stderrout log shows the following (trimmed for
clarity) for each request made by the user after logout:
INFO org.codehaus.wadi.core.contextualiser.HybridRelocater - Unknown
session [g3xfcskjnvf]
ERROR org.codehaus.wadi.core.manager.StandardManager - Could not acquire
session [g3xfcskjnvf]
Is it normal that the session cookie is not removed (by setting maxAge to
0, etc.) after the session is invalidated on the server side? If not, did
I make a mistake in my way of logging the user out that causes the cookie
to remain?
Thank you for your advice in advance.
Best Regards
Harry
I am developing an application using Tapestry 5.4-beta-22
Tapestry-Security 0.6.2. The Tapestry framework and the Tapestry-Security
module have made my life a lot easier, and for that I am really grateful.
I am writing to seek your generous input on an issue regarding the session
cookie generated by tapestry-security login, which seems to linger after
the session itself has been invalidated as a result of logout.
1. A user performs login and a corresponding session is created:
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(userName, password);
token.setRememberMe(false);
subject.login(token);
In the browser, a JSESSIONID cookie with the value: g3xfcskjnvf is created,
with maxAge: Session.
So far so good.
2. The user performs log out:
try {
SecurityUtils.getSubject().logout();
// I believe the if block below is no longer necessary in Tapestry 5.4,
// but kept it just in case. "request" is an injected instance of the
Tapestry
// Request service.
if (request.getSession(false) != null) {
request.getSession(false).invalidate();
} catch (Exception e) {};
The user is indeed logged out, and the session is indeed invalidated.
Everything seems to work fine.
3. The Issue
Upon closer inspection, I noticed that the session cookie created by user
during login is still in the browser after logout. The browser repeatedly
requests the session with the JSESSIONID: "g3xfcskjnvf" from the server,
which has already been invalidated.
Sure enough, the server stderrout log shows the following (trimmed for
clarity) for each request made by the user after logout:
INFO org.codehaus.wadi.core.contextualiser.HybridRelocater - Unknown
session [g3xfcskjnvf]
ERROR org.codehaus.wadi.core.manager.StandardManager - Could not acquire
session [g3xfcskjnvf]
Is it normal that the session cookie is not removed (by setting maxAge to
0, etc.) after the session is invalidated on the server side? If not, did
I make a mistake in my way of logging the user out that causes the cookie
to remain?
Thank you for your advice in advance.
Best Regards
Harry