How to properly logout of a Java EE 6 Web Application after logging in

Question

A pretty simple requirement. After logging into web J2EE 6 application, how can I have the user logout again?

Most (all?) the books and tutorials I have seen show h

Answer 1

You should have logout servlet/jsp which invalidates the session using the following ways:

• Before Servlet 3.0, using session.invalidate() method which invalidates the session also.
• Servlet 3.0 provides a API method HttpServletRequest.logout() which invalidates only the security context and the session still exists.

And, the Application UI should be providing a link which invokes that logout servlet/jsp

Question: Indeed, how can I force a logout after, say, the session times out, etc?

Answer: The in web.xml lets you define the timeout value after which the session will get invalidated by the server.