Relogin fails.

[sherihan]

Hi,
I've recently started to use Acegi security to secure my application.
Everything is going fine except that sometimes when I log off the application then relogin I'm not redirected to the correct page but I'm still redirected to the login page.
The user name and password I provide are correct and no login failure occurs.
It's just that the correct page is not opened.
When I try to login again, it succeeds.
I don't know why does this happen.
Could anyone plz help me in that.

Thanks in Advance.
Sherihan.

[Ben Alex]

Keep an eye on DEBUG-level logs and see if the same HttpSession ID is being used. Perhaps your container is not invalidating the HttpSession at logout. There is a bug in 0.8.0 (fixed in 0.8.1) related to handling of HttpSession invalidation and logouts. I've also seen people report problems like this when they're actually using BASIC authentication, which automatically re-presents credentials.

[sherihan]

Hi Ben,
thanks for ur reply.
But, I really don't know why should the container not invalidate the HttpSession at logout.
In the logout jsp I invalidate the seeion using

Code:

<%session.invalidate&#40;&#41;;%>

So, as I understand it shoul be invalidated.
Am I mistaken in that?
Thanks,
Sherihan.

[Ben Alex]

With 0.8.0, a problem was that the HttpSession was duly invalidated, but then the ContextHolder still contained an Authentication. During HttpSessionContextIntegrationFilter, it would then create a new HttpSession, and then copy the ContextHolder's Context into the new HttpSession. So in effect the item holding the Authentication token survived HttpSession invalidation - but only if you were not performing a redirect after the invalidation. It's fixed in 0.8.1.