It is always a good idea to put a Logout button in an obvious place in your application to encourage users to log out when they are done, rather than just closing their browser and allowing their session data to persist until their session times out.
Logging out is more secure (nobody can walk up to your system after you leave and continue using your session) and it also frees up resources more quickly for use by other sessions/requests.
To clean up J2EE Servlet Session data, whether you are authenticated (logged in) to the application server or not, you can call the invalidate()
method on the HttpSession API.
In a JSP Page, there is a "session" variable (unless the JSP page has a directive indicating that it is not a session related page) and you may call:
< session.invalidate(); >
In an LJO or Java Method from within a model with access to a WebAppAccess instance for the WebApp, you can call:
HttpServletRequest request = webAppAccess.getHttpServletRequest();
HttpSession session = request.getSession(false);
if (session != null)
Logged out page
If you are going to process a logged out page to return for this request that is logging out, you should process the page before invalidating the session, in case the act of processing the page requires data stored or referenced in the session. Static pages are not likely to reference the session, but dynamic pages (with any builders applied to them) may need to reference session data.
Unless you are explicitly attempting to close the browser window, and even sometimes when you are, your Logged Out page should display a message recommending that the user close the browser after logging out. This will remove dynamic session artifacts such as session cookies, security-related session cookies, and in memory cached pages with sensitive data on them.
Parent topic: Overview: security methodologies