From: Jay S. <thi...@gm...> - 2011-01-25 03:25:41
|
Hey all, I've always used session:clear() to logout. I end up as guest when I do so. BTW, I posted it hours ago, but replying never ever goes to the list!! Who knows what nuggets we've lost? :-( Jay On Tue, Jan 25, 2011 at 1:32 PM, Joe Wicentowski <jo...@gm...> wrote: > Andrew and Dan, > > Like Dan, my first thought was session:invalidate(), but it's also > necessary to use xmldb:login() to login again -- this time as guest. > You'll see this invalidate/re-login technique in action in the eXist > Admin panel's "Logout" button (in EXIST_HOME/webapp/admin/admin.xql, > lines 186-198): > > (: if we are already logged in, are we logging out - i.e. set > permissions back to guest :) > if(request:get-parameter("logout",()))then > ( > let $null := xdb:login("/db", "guest", "guest") > let $inval := session:invalidate() > > return false() > ) > else > ( > (: we are already logged in and we are not the guest user :) > true() > ) > > So "logging out" can be accomplished by logging in as guest. Indeed, > as the function docs for xmldb:login() indicate: > > "If called from a HTTP context the login is cached for the lifetime > of the HTTP session and may be used for any XQuery run in that > session."[1] > > In light of that, invalidating the session[2] after logging in as > guest might appear to be unnecessary, since the guest login would be > cached. But my guess is that we need to invalidate the session in > order to invalidate other session cookies that might be set for the > current session, and thereby free up memory. In any case, I think > invalidating the session alone is not sufficient to "log out". This > is because it's possible to login without creating a session (see the > 2nd version of the xmldb:login() function, which has a 4th parameter > which controls session creation). You could call session:invalidate() > but still be logged in. So, let me try to sum up: > > ==> To logout, login as guest with xmldb:login(). In addition, if you > are in an HTTP context, it is also necessary to invalidate the HTTP > session with session:invalidate(). Warning: Invalidating the session > without also logging in as guest is an inadequate way to logout if you > are not in an HTTP context. Likewise, logging in as guest without > invalidating the session in an HTTP context fails to free up memory, > so it is recommended to invalidate the session as part of a logout > routine in an HTTP context. > > I'd appreciate any corrections if I'm not entirely correct here. > > Cheers, > Joe > > [1] http://demo.exist-db.org/exist/functions/xmldb/login > [2] http://demo.exist-db.org/exist/functions/session/invalidate > > > On Tue, Jan 25, 2011 at 1:54 AM, Dan McCreary <dan...@gm...> wrote: >> This is a good question! >> >> It seems like if we had login we should logically also have a logout >> function. >> >> I think that since the login is associated with a session that the >> session:invalidate() function should have the same effect as logout. If I >> recall correctly some of us that are building systems that need audit trails >> have just wrapped invalidate() with a logout function that indicates if a >> person clicked a button or if the session timed out due to inactivity. >> >> Seems like this might be a nice inclusion in a future release that has a >> standardized set of login/logout event logging and reporting tools and >> applications. >> >> - Dan >> >> On Mon, Jan 24, 2011 at 11:32 AM, Andrew Welch <and...@gm...> >> wrote: >>> >>> Hi, >>> >>> Possibly a noob question, but what is the correct approach to log a >>> user out? I can see xmldb:login, but no corresponding >>> xmldb:logout...? >>> >>> I'm guessing, but does logging is as guest have the same effect? >>> >>> -- >>> Andrew Welch >>> http://andrewjwelch.com >>> >>> >>> ------------------------------------------------------------------------------ >>> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! >>> Finally, a world-class log management solution at an even better >>> price-free! >>> Download using promo code Free_Logger_4_Dev2Dev. Offer expires >>> February 28th, so secure your free ArcSight Logger TODAY! >>> http://p.sf.net/sfu/arcsight-sfd2d >>> _______________________________________________ >>> Exist-open mailing list >>> Exi...@li... >>> https://lists.sourceforge.net/lists/listinfo/exist-open >> >> >> >> -- >> Dan McCreary >> Semantic Solutions Architect >> office: (952) 931-9198 >> cell: (612) 986-1552 >> >> ------------------------------------------------------------------------------ >> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! >> Finally, a world-class log management solution at an even better price-free! >> Download using promo code Free_Logger_4_Dev2Dev. Offer expires >> February 28th, so secure your free ArcSight Logger TODAY! >> http://p.sf.net/sfu/arcsight-sfd2d >> _______________________________________________ >> Exist-open mailing list >> Exi...@li... >> https://lists.sourceforge.net/lists/listinfo/exist-open >> >> > > ------------------------------------------------------------------------------ > Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! > Finally, a world-class log management solution at an even better price-free! > Download using promo code Free_Logger_4_Dev2Dev. Offer expires > February 28th, so secure your free ArcSight Logger TODAY! > http://p.sf.net/sfu/arcsight-sfd2d > _______________________________________________ > Exist-open mailing list > Exi...@li... > https://lists.sourceforge.net/lists/listinfo/exist-open > |