I know every session has a unique sessionID
If I keep all userID-sessionID record in my web app.
my question is, when I want to "force" an user to logout,
how do I use sessionID to find that session and kill it??
I don't know if you can locate a HttpSession object without a HttpServletRequest/response object, but you could use an external storage for "live" session IDs and go remove the session ID from there. Of course each time the user makes a request, the storage should be checked to figure out if the session should be destroyed.
For example, you could use a HttpSessionListener to add/remove the session ID into/from the storage upon session creation/removal.
Store the HttpSession object on the servletcontext via
context.setAttribute( <anystr>, (HttpSession)obj)
Let anystr be the sessionid.
When you want to log an user out, remove the session object from the servletcontext(only one per webapp) and call
session.inValidate() This will invalidate the session When the user tries to do anything on this session, you can check if the session is valid and route him appropriately, to a "logged out" page.
Hope that helps...