In the httpservlet session, I use the following code to invalidate the session and logout
session.invalidate();
session = null;
HttpServletRequest.logout();
But, still, it seems the user can just provide the application URL again(without closing the browser) to login again without providing the credentials i.e. the session still seems to be active. Am I missing something here? My servlet version is 3.0.1
