I am seeing a similar issue as mentioned in this question – https://stackoverflow.com/questions/1495390/how-do-i-invalidate-a-session-in-jsf.
I have a session scoped LoginBean, which have an action logout as #
ExternalContext ec = FacesContext.getCurrentInstance().getExternalContext();
HttpSession session = (HttpSession) ec.getSession(false);
HttpServletResponse response = (HttpServletResponse) ec.getResponse();
// remove cookies
response.addCookie(facade.removeCookie(((HttpServletRequest)ec.getRequest()).getCookies()));
// check what we have in sessionMap
System.out.println(ec.getSessionMap());
// remove attribute
session.removeAttribute("XYZ");
// invalidate session
if (session != null) {
System.out.println("invalidating session");
session.invalidate();
}
// see what is there in session map
System.out.println(ec.getSessionMap());
It almost work fine.
Output #
{xyzBean=com.xyz.bean.XYZBean@46f046f0,... }
invalidating session
{}
The sessionMap being empty, means there are no session scope beans. However, after logout action it redirects to another same page. Login being a layer on same page. I see that fragment jsps still have showing old data.
I am not removing JSESSIONID in facade.removeCookie. It removes some other cookies related to user.
Any help would be appreciated.
Thanks.
You’re likely viewing a page which is been served from browser cache. You need to add HTTP response headers which instructs the webbrowser to not cache the dynamic pages. You can do this with a
javax.servlet.Filterwhich is mapped on an<url-pattern>of interest, e.g.*.jsfor something and does the following job indoFilter()method:Don’t forget to clear the browser cache before testing 😉
Unrelated to the problem, the
if (session != null)nullcheck in your code is superfluous since session can never be null when it reaches that nullcheck. If it was null, it would have thrown aNullPointerExceptionat theremoveAttribute()call and thus never reach the nullcheck.