form-based authentication & session.invalidate 2003-10-11 - By Tim Funk
Back
Hmm. I always thought that when using the SSO valve, logging out of one
webapp automatically logs you out of all webapps.
The 5 code looks broken based on *very quick* inspection compared to 4.1
based on lines 304-308.
if ( event.getData() != null
&& "logout".equals( event.getData().toString() )) {
// logout of all applications
deregister(ssoId);
} else {
// invalidate just one session
deregister(ssoId, session);
}
I haven't been able to locate how logout can be a value in a SessionEvent.
-Tim
Adam Hardy wrote:
> I have just figured out that the SSO in JSESSIONIDSSO stands for
> single-sign-on.
>
> I have the following JSP:
>
> remote user <%=request.getRemoteUser() %> in
> session <%= session.getId() %>
> <%
> session.invalidate();
> %>
>
> and after doing a login, I saw I got JSESSIONID and JSESSIONIDSSO
> cookies. I then go to a second site on my tomcat and get a second
> JSESSIONID without having to do a login coz of SSO.
>
> Now going to this page which has the stuff above, and refreshing over
> and over always showed the following:
>
> remote user adam in session EB2543D909D52551EA58C77E963CDD17
> remote user adam in session EA33F35CCB3D1205A88226029C65939C
> remote user adam in session 8814C0365D3F0BDD97B1DE9B7EAECD17
> remote user adam in session 1B7F0424190985F24A294EA2344888C5
>
> I see the JSESSIONIDSSO cookie is keeping my remoteUser info active.
> This shouldn't be the case I'm sure. If I delete the SSO cookie in
> mozilla, I get a login request on my next request.
>
> Also if I only login to one site, even though I get the SSO cookie, when
> I invalidate the session, I immediately get a login request. Strange.
>
> This is not correct behaviour for tomcat, is it?
>
> Adam
>
-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ------
To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
For additional commands, e-mail: tomcat-user-help@(protected)
|
|
