 | Mailing List | | Home | | Forum Home | | JBoss - Java Application Server | | Struts - A MVC web framework | | Tomcat - JSP/Servlet container | | iText - An open source PDF Java Library | | JDOM - JDOM XML Parser | | J2EE - A mailing list for Java(tm) 2 Platform, Enterprise Edition | | J2EE Pattern - An interest list for Sun Java Center J2EE Pattern Catalog | | Servlet - A mailing list for discussion about Sun Microsystem's Java Servlet API Technology | | JSP - A mailing list about Java Server Pages specification and reference | |
Struts & Hibernate
|
|
|
| | | form-based authentication & session.invalidate | form-based authentication & session.invalidate 2003-10-11 - By Adam Hardy
Back
I have just figured out that the SSO in JSESSIONIDSSO stands for
single-sign-on.
I have the following JSP:
remote user <%=request.getRemoteUser() %> in
session <%= session.getId() %>
<%
session.invalidate();
%>
and after doing a login, I saw I got JSESSIONID and JSESSIONIDSSO
cookies. I then go to a second site on my tomcat and get a second
JSESSIONID without having to do a login coz of SSO.
Now going to this page which has the stuff above, and refreshing over
and over always showed the following:
remote user adam in session EB2543D909D52551EA58C77E963CDD17
remote user adam in session EA33F35CCB3D1205A88226029C65939C
remote user adam in session 8814C0365D3F0BDD97B1DE9B7EAECD17
remote user adam in session 1B7F0424190985F24A294EA2344888C5
I see the JSESSIONIDSSO cookie is keeping my remoteUser info active.
This shouldn't be the case I'm sure. If I delete the SSO cookie in
mozilla, I get a login request on my next request.
Also if I only login to one site, even though I get the SSO cookie, when
I invalidate the session, I immediately get a login request. Strange.
This is not correct behaviour for tomcat, is it?
Adam
On 10/11/2003 06:04 PM Tim Funk wrote:
> Authentication information is somewhat stored in the session for form
> based authentication. (I can't remember the specifics) So using
> session.invalidate should log the user out. This works since the session
> id which is a cookie or URL rewriting scheme is what the browser keys in
> on. By invalidating that id on the server, the browser is now sending an
> invalid credential and thus logged out.
>
> In BASIC authentication, the credentials are stored in the web browser
> and sent when/if requested. So the only way to get rid of those stored
> credentials is by closing the web browser.
>
> [Of course, when the web server is restarted or web app restarted - I
> can't recall what happens to the authentication information. ]
>
> -Tim
>
> Adam Hardy wrote:
>
>> I am using session.invalidate() to try to cause the user to receive
>> another login request, using CMS form-based authentication.
>>
>> I saw the same issue in bugzilla but for basic authentication:
>>
>> http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12147
>>
>> where the tomcat developer/bugzilla person resolved the issue saying
>> that CMS basic authentication cannot be manipulated in this way since
>> the browser sends the login info with every request, requiring the
>> user to close the browser before seeing another login request.
>>
>> Is this the same for form-based authentication?
>>
>> I thought that in tomcat4 I was getting new login request for the
>> users just by invalidating their sessions. Am I deluding myself?
--
struts 1.1 + tomcat 5.0.12 + java 1.4.2
Linux 2.4.20 RH9
-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ------
To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
For additional commands, e-mail: tomcat-user-help@(protected)
|
|
|
