I never worked with WebLogic, but from JavaDoc here I can tell that calling getPortletSession() is already wrong idea if you want to invalidate existing session, because it’s said in JavaDocs:
Returns the current portlet session or, if there is no current session,
creates one and returns the new session.
So, it creates a new session, which is not what you want if you just want to invalidate already existing session.
The method you need is getPortletSession(boolean create), you need to pass false when calling it, and it may return null value if no session is available at the method of call, so you will need to handle null too:
PortletSession current = request.getPortletSession();
if (current != null) try {
current.invalidate();
} catch (IllegalStateException ignored) {
// ok: session is already invalidated
}
We need to catch this exception, because from what I see in JavaDocs, there is no way to determine if session is already invalidated or not. So we just invalidate anyway, and ignore IllegalStateException if it’s thrown due session is already invalidated.
Also, don’t forget to call response.sendRedirect(exitURL); before invalidating session, my intuition tells me it should be done before.