HttpServletRequest logout on old servlet-api-2.3.jar

Question 1

atg.servlet.ServletUtil.invalidateSessionNameContext(request, atg.servlet.ServletUtil.getCurrentRequest().getSession(false));
atg.servlet.ServletUtil.invalidateSession(request, atg.servlet.ServletUtil.getCurrentRequest().getSession(false));
// Redirect, the profile is null from here on.
response.sendRedirect("login");

Question 2

It depends on what the semantics of logging in are in your application.

Typically, this should do it unless you're doing something exotic:

request.getSession().invalidate();

I'm not familiar with Dynamo, so you may want to see if it has any specifics about session management, as some frameworks do.

And if you're using any security frameworks, you may need to clear/de-autenticate an authentication token.

Question 3

I encountered this problem too and found this in the ATG documentation:

Some application servers maintain a single session ID between web applications for the same client (browser), in which case the session name context ID is the current web application’s session ID. This behavior is controlled by the /atg/dynamo/ servlet/sessiontracking/GenericSessionManager.singleSessionIdPerUser property, which is set to one of the following default values in the DafEar sub-module configuration layer:

WebLogic – false <--

JBoss – true

WebSphere - true

Note: Do not change these values from their defaults.

This means that on jboss and websphere you can safely use session.invalidate() however on WebLogic you will need to use something along the lines of:

protected void forceLogout(DynamoHttpServletRequest pRequest) {
    HttpSession session= pRequest.getSession(false);
    if (session != null ) {
        // When ATG runs on weblogic you need to ensure the parent session is invalidated
        // session.invalidate() does not work.
        atg.servlet.ServletUtil.invalidateSession(pRequest, session);
    }
}

I hope this helps explain why.