Important Notice - Forums is archived
To simplify things and help our users to be more productive, we have archived the current forum and focus our efforts on helping developers on Stack Overflow. You can post new questions on Stack Overflow or join our Discord channel.

Vaadin lets you build secure, UX-first PWAs entirely in Java.
Free ebook & tutorial.
How to avoid "Invalid security key" messages on logout?
Hi all,
This is related to another thread about having proper session timeouts when using the Refresher add-on. I have everything working except how Vaadin responds to session handling.
In my sample app, I implement HttpServletRequestListener so that I can retrieve the HttpSession object during a request. I have a "log out" button that does the following:
Button loButton = new Button("Log Out");
loButton.addListener(new Button.ClickListener() {
@Override
public void buttonClick(Button.ClickEvent clickEvent) {
// check for null session edited out
session.invalidate();
}
});
The above works fine and brings the user back to the initial state of the app. However, my session check-then-invalidate code below doesn't work quite so well when it's not in a listener:
@Override
public void onRequestStart(HttpServletRequest req, HttpServletResponse resp) {
session = req.getSession();
if ( [b]some_code_here_to_check_request_time[/b] )) {
session.invalidate();
}
}
Once the session is invalidated, the onRequestStart method exits into AbstractApplicationServlet#service, calling startApplication(), which then thinks that the application is no longer running (Application.applicationIsRunning is now false). So it inits the application again during the request, and when it tries to handle the UIDL request an InvalidUIDLSecurityKeyException is thrown.
Is there any way I can invalidate the session in the onRequestStart method and not have this exception get thrown? Anything I can tell the web app context to say "Hey, you can stop processing this one now"?
Thanks,
Bobby