Edit - 1
<security:logout
invalidate-session="true"
logout-success-url="/logout"
logout-url="/logoutfail"/>
</security:http>
编辑-1结束 http://pastie.org/8588538的第1到6行是注销用户的正确方法吗?因为当我这样做时,用户似乎在页面上短暂地退出登录,但然后可以再次使用相同的登录访问其他页面。看起来第31和38行正在创建新的会话cookie。但是怎么做呢?
@RequestMapping(value = "/logout" )
public String logout(ModelMap model, HttpServletRequest request){
request.getSession(true).invalidate();
System.out.println("logout user page shown--------------------");
return "/login/logout";
}
200 OK
GET /logout
200 OK
localhost:8080
5.7 KB
127.0.0.1:8080
225ms
HeadersResponseHTMLCacheCookies
Response Headersview source
Content-Language en
Content-Length 5864
Content-Type text/html;charset=ISO-8859-1
Date Mon, 30 Dec 2013 21:38:59 GMT
Server Apache-Coyote/1.1
Set-Cookie JSESSIONID=4B961D14E4B3096368BCC5F9A55874BC; Path=/ttmaven/; HttpOnly
Request Headersview source
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding gzip, deflate
Accept-Language en-US,en;q=0.5
Connection keep-alive
Cookie JSESSIONID=A0E89C909D0A7F7BE93EC737130E9A31
Host localhost:8080
Referer http://localhost:8080/ttmaven/users/home
User-Agent Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0
request.getSession(true).invalidate();
,我仍然保持登录状态。 - Mab