How to avoid "Invalid security key" messages on logout?

Hi all,

This is related to
another thread about having proper session timeouts when using the Refresher add-on
. I have everything working except how Vaadin responds to session handling.

In my sample app, I implement
HttpServletRequestListener
so that I can retrieve the HttpSession object during a request. I have a “log out” button that does the following:

        Button loButton = new Button("Log Out");
        loButton.addListener(new Button.ClickListener() {
            @Override
            public void buttonClick(Button.ClickEvent clickEvent) {
                // check for null session edited out
                session.invalidate();
            }
        });

The above works fine and brings the user back to the initial state of the app. However, my session check-then-invalidate code below doesn’t work quite so well when it’s not in a listener:

    @Override
    public void onRequestStart(HttpServletRequest req, HttpServletResponse resp) {
        session = req.getSession();
        if ( [b]
some_code_here_to_check_request_time
[/b] )) {
            session.invalidate();
        }
    }

Once the session is invalidated, the onRequestStart method exits into AbstractApplicationServlet#service, calling startApplication(), which then thinks that the application is no longer running (Application.applicationIsRunning is now false). So it inits the application again during the request, and when it tries to handle the UIDL request an InvalidUIDLSecurityKeyException is thrown.

Is there any way I can invalidate the session in the onRequestStart method and not have this exception get thrown? Anything I can tell the web app context to say “Hey, you can stop processing this one now”?

Thanks,
Bobby