Dynamic Web Development with Seaside

18.7Manually Expiring Sessions

In some cases developers might want to expire a session manually. This is useful for example after a user has logged out, as it frees all the memory that was allocated during the session. More important it makes it impossible to use the Back button to get into the previously authenticated user-account and do something malicious.

A session can be marked for expiry by sending the message WASession>>expire to a WASession. Note that calling expire will not cause the session to disappear immediately, it is just marked as expired and not accessible from the web anymore. At a later point in time Seaside will call unregistered and the garbage collector eventually frees the occupied memory.

Let us apply it to our hotel application: we change our MiniInn application to automatically expire the session when the user logs out.

InnSession>>logout
user := nil.
self expire

Note that expiring a session without redirecting the user to a different location will automatically start a new session within the same application. Here we change that behavior to make it point to the Seaside web site as follows.

InnSession>>logout
user := nil.
self expire.
self redirectTo: 'http://www.seaside.st'

If the user tries to get back to the application, he is automatically redirected to a new session.

Copyright © 19 March 2024 Stéphane Ducasse, Lukas Renggli, C. David Shaffer, Rick Zaccone
This book is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 license.

This book is published using Seaside, Magritte and the Pier book publishing engine.