Submit a bug or feature For further API reference and developer documentation, see Java SE Documentation. That documentation contains more detailed, developer-targeted descriptions, with conceptual overviews, definitions of terms, workarounds, and working code examples. Once you invalidate the session , how can a user do a back and refresh and access the same ( already invalidated ) session..??Even if the JSESSIONID is still present the session whose ID it is holding is already invalidated , so how can you get that session back My point is when you say session.invalidate() the session object is destroyed , so even if you use the same browser which will use the same JSESSIONID how will you be able to access an object( the session in this case ) after it has been destroyed..??A lot of times we have requirement to do some stuff like invalidating session whenever user clicks browser close button thereby invoking close event in browser. In Java Script we have events such as onbeforeunload and onunload.These events as their name suggest, gets triggered whenever the page gets unload.Copyright © 1993, 2017, Oracle and/or its affiliates. Hi LJM, the first thing that it seem wrong in your configuration, in my opinion, is the "FORM DETECTION URI".
This means the client has not acknowledged or joined the session and may not return the correct session identification information when making its next request. This may differ from the session ID in the current session if the session ID given by the client is invalid and a new session was created.
Problem is, when I invalidate the session, I get the following exception thrown: com.meterware.httpunit.
Http Internal Error Exception: Error on HTTP request: 500 Internal Error at com.meterware.httpunit. Even if I set the Http Unit Options to not thrown exceptions on errors, I am still left with a null Faces Context and can't continue the test.
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums Hi, I am calling session.invalidate() in my web application but this does not remove the JSESSIONID cookie.
So one of our customers has raised this as a security threat.
This happens if user close the browser or move to different page.