in src/java/org/apache/turbine/pipeline/DefaultLoginValve.java [91:148]
protected void process(PipelineData pipelineData)
throws Exception
{
RunData data = pipelineData.getRunData();
// Special case for login and logout, this must happen before the
// session validator is executed in order either to allow a user to
// even login, or to ensure that the session validator gets to
// mandate its page selection policy for non-logged in users
// after the logout has taken place.
String actionName = data.getAction();
if (data.hasAction() &&
actionName.equalsIgnoreCase(actionLogin) ||
actionName.equalsIgnoreCase(actionLogout))
{
// If a User is logging in, we should refresh the
// session here. Invalidating session and starting a
// new session would seem to be a good method, but I
// (JDM) could not get this to work well (it always
// required the user to login twice). Maybe related
// to JServ? If we do not clear out the session, it
// is possible a new User may accidently (if they
// login incorrectly) continue on with information
// associated with the previous User. Currently the
// only keys stored in the session are "turbine.user"
// and "turbine.acl".
if (actionName.equalsIgnoreCase(actionLogin))
{
Enumeration<String> names = data.getSession().getAttributeNames();
if (names != null)
{
// copy keys into a new list, so we can clear the session
// and not get ConcurrentModificationException
List<String> nameList = new ArrayList<>();
while (names.hasMoreElements())
{
nameList.add(names.nextElement());
}
HttpSession session = data.getSession();
for (String name : nameList)
{
try
{
session.removeAttribute(name);
}
catch (IllegalStateException invalidatedSession)
{
break;
}
}
}
}
actionLoader.exec(pipelineData, data.getAction());
cleanupTemplateContext(data);
data.setAction(null);
}
}