You should have logout servlet/jsp which invalidates the session using the following ways: - Before Servlet 3.0, using `session.invalidate()` method which invalidates the session also. - Servlet 3.0 provides a API method `HttpServletRequest.logout()` which invalidates only the security context and the session still exists. And, the Application UI should be providing a link which invokes that logout servlet/jsp Question: Indeed, how can I force a logout after, say, the session times out, etc? Answer: The `` in `web.xml` lets you define the timeout value after which the session will get invalidated by the server. You can do it programmatically using the `logout()`-Method of `HttpServletRequest`. There is also a corresponding method for login in with `username` and `password`. These methods have been added in Servlet 3.0, so they’re available in Java EE 6. A timeout is a different beast and can be specified in `web.xml` as following:
“`
30
““
The time unit is minutes.