3

Wicket org.apache.wicket.authroles.authentication.AuthenticatedWebSession has 2 methods: signOut and invalidate. The javac says that signOut mark use not logged in while invalidate do the same (e.g. call signOut) but

remove the logon data from where ever they have been persisted

At first glace for logout action signOut should be called. But for security reasons session must be invalidated immediately after user logins or logouts. So from this point invalidate should be called.

So what to call for logout? Also when it is needed to call signOut and when invalidate?

Cherry
  • 31,309
  • 66
  • 224
  • 364

2 Answers2

2

If you want to logout only, use AuthenticatedWebSession#signOut().

AuthenticatedWebSession uses an internal boolean flag 'signedIn' to notice if a user has been signed in (true) or no body has been ever signed in or a user has been logged out.

WebSession#invalidate() is responsible for removing session from the Wicket session registry and its complete invalidation. The implementation of AuthenticatedWebSession#invalidate() invokes AuthenticatedWebSession#signOut() as well, so that the regular log out is done. That could be helpful if your logout process requires some other action, so you can override AuthenticatedWebSession#signOut() method.

In other words:

  • invalidate() calls signOut() and than removes the session from the session registry.
  • signOut() marks the session as 'not signed in', but it does NOT remove the session.
Martin Strejc
  • 4,307
  • 2
  • 23
  • 38
0

For logout you should use #invalidate()! In my opinion #signOut() should not be part of the API. At the best it should be an alias of #invalidate().

If you want to be really secure then you should use #replaceSession() after login.

martin-g
  • 17,243
  • 2
  • 23
  • 35