5.10.5 Implementation of the API-based logout session
To perform the logout process, the logout session uses the Subject registered in HttpSession, as described in 5.10.4 Implementation of the session to register the successfully authenticated subject to HttpSession, to re-create LoginContext. It then deletes the Subject registered in HttpSession. It also deletes the user attributes if they are registered in HttpSession. The following is an example of logout implementation if the user attributes are registered in HttpSession.
<%
try {
Subject subject = (Subject)session.getAttribute("ExampleSubject");
LoginContext lc = new LoginContext("Example", subject);
session.removeAttribute("ExampleCredential");
session.removeAttribute("ExampleSubject");
lc.logout();
} catch (LoginException e) { ... }
%>
...When the session times out, HttpSession is disabled. Therefore, Subject and user attributes registered in HttpSession become ineffective, accordingly.
The sessions of integrated user management also become ineffective because they are synchronized with HttpSession.