SessionListener sessionDestroyed not called

Question

Seems I've run into a wall with the SessionListener implementation in XPages. The listener prints output to the log when a session is created, so I know its registered properly. However, it doesn't call sessionDestroyed upon logout. Is there any special URL redirect I need to perform to have the Domino / XPage session destroyed immediately upon logout? As you can see I've tried clearing scopes, and clearing cookies trying to get the sessionDestroyed method to fire. Note that sessionDestroyed does get called when I restart the http server task, so it seems the sessions might be lingering until the inactivity timeout.

Dev Server is: 9.0.1 (64 bit, running locally on Win7) Running Session Based Authentication single server (note: I tried basic auth, same problem)

logout utility method (called by SSJS):

    public static void logout(){


    String url = XSPUtils.externalContext().getRequestContextPath() + "?logout&redirectto=" + externalContext().getRequestContextPath();
    XSPUtils.getRequest().getSession(false).invalidate();

    //wipe out the cookies
    for(Cookie cookie : getCookies()){
        cookie.setValue("");
        cookie.setPath("/");
        cookie.setMaxAge(0);
        XSPUtils.getResponse().addCookie(cookie);
    }

    try {
        XSPUtils.externalContext().redirect(url);
    } catch (IOException e) {
        logger.log(Level.SEVERE,null,e);
    }
}

simple session listener:

public class MySessionListener implements SessionListener {

public void sessionCreated(ApplicationEx arg0, HttpSessionEvent event) {
    System.out.println("***sessionCreated***");

}

public void sessionDestroyed(ApplicationEx arg0, HttpSessionEvent event) {
    System.out.println("***sessionDestroyed***");
}

}

Answer 1

we're looking at coupling the traditional http stack "?logout" behavior with the XPages runtime session management layer. Currently, sessions are discarded based on the session timeout expiry and/or http stack restart. If you want to force session removal and have your SessionListener.sessionDestroyed invoked refer to the following XSP fragment - this is equally applicable for porting into Java:

<xp:button value="Logout" id="button2">
    <xp:eventHandler event="onclick" submit="true"
        refreshMode="complete">
        <xp:this.action>
            <![CDATA[#{javascript:
                // things we need...
                var externalContext = facesContext.getExternalContext();
                var request = externalContext.getRequest();
                var response = externalContext.getResponse();
                var currentContext = com.ibm.domino.xsp.module.nsf.NotesContext.getCurrent();
                var session = request.getSession(false);
                var sessionId = session.getId();

                // flush the cookies and invalidate the HTTP session...
                for(var cookie in request.getCookies()){
                    cookie.setValue("");
                    cookie.setPath("/");
                    cookie.setMaxAge(0);
                    response.addCookie(cookie);
                }
                session.invalidate();

                // now nuke the XSP session from RAM, then jump to logout...
                currentContext.getModule().removeSession(sessionId);
                externalContext.redirect("http://foo/bar.nsf?logout");
            }]]>
        </xp:this.action>
    </xp:eventHandler>
</xp:button>