- This topic has 1 reply, 2 voices, and was last updated 12 years, 8 months ago by
.
-
Posts
-
In my Spring Security logout form I need access to session variables.
I am finding if <logout invalidate-session=”true” within the http tag then I lose them.
Setting <logout invalidate-session=”false” fixes the problem
But there must be a reason you set <logout invalidate-session=”true. in the default M4S scaffolding.
Is there any risk being run by not invalidating the session?
Thanks
Hi P0rridge,
I think this question is better posed on the Springsource forums. Perhaps there is a better way to do what you are trying to do that someone over there can help with?
I would imagine that if you left the session valid, it would eventually time out but that is not generally a best practice because server resources would be tied up unnecessarily. Also, I’m far from a security expert but I think that if someone came along and used the same browser, they may get the same session, leaving your app open to unintended access in public locations.
