Session must not be invalidated on logout

2008-11-13T03:49:56
ID ATLASSIAN:CONFSERVER-13702
Type atlassian
Reporter ckiehl
Modified 2017-02-17T05:39:17

Description

People ran into [problems|http://forums.atlassian.com/thread.jspa?forumID=101&threadID=29965] because we started invalidating the session on logout in 2.9.2. They expect certain session attributes like the seraph LOGGED_OUT_KEY to be present.

This means we need to remove all session attributes except some special attributes like the seraph ones. The other option would be to only remove critical attributes like the users history from the session and leave it untouched otherwise. But I would rather go for the first approach, and remove as much data from the session as possible to avoid privacy issue created by future code.