Session isn't invalidated on logout

Type atlassian
Reporter mjensen
Modified 2017-02-17T05:38:36


When the user logs out the HttpSession isn't invalidated.

The important details of the logged in user and other information is correctly cleared but other properties such as user preferences are not.

The impact is things like the label's section and location section's openness state isn't correctly loaded from the database (its read from the session which contains the value of the previously logged in user).