You should have logout servlet/jsp
which invalidates the session using the following ways:
- Before Servlet 3.0, using
session.invalidate() method
which invalidates the session also. - Servlet 3.0 provides a API method
HttpServletRequest.logout()
which invalidates only the security context and the session still exists.
And, the Application UI should be providing a link which invokes that logout servlet/jsp
Question: Indeed, how can I force a logout after, say, the session times out, etc?
Answer: The <session-timeout>
in web.xml lets you define the timeout value after which the session will get invalidated by the server.