form-based authentication & session.invalidate

Google

Mailing List

Home

Forum Home

JBoss - Java Application Server

Struts - A MVC web framework

Tomcat - JSP/Servlet container

iText - An open source PDF Java Library

JDOM - JDOM XML Parser

J2EE - A mailing list for Java(tm) 2 Platform, Enterprise Edition

J2EE Pattern - An interest list for Sun Java Center J2EE Pattern Catalog

Servlet - A mailing list for discussion about Sun Microsystem's Java Servlet API Technology

JSP - A mailing list about Java Server Pages specification and reference

Struts & Hibernate

Subjects

•	JSP editor plugin for eclipse ?
•	org apache jasper JasperException: Unable to compile class for JSP
•	Tomcat: Connection reset by peer: socket write error
•	Cannot retrieve definition for form bean null
•	Struts Tiles Tutorial (free Struts training)
•	Where do I download Tomcat 4 0 6?
•	Data Access Object (DAO) pattern, example DAO 's
•	Where to download Tomcat v 4 1 24 from?
•	Tomcat 5 0 16 Requested resource not available
•	Oracle Connection Pooling in 3 2 2
•	Servlet : Session invalidate
•	Servlet action is currently unavailable
•	Tomcat/Struts Unicode Encoding/Decoding problems
•	Tomcat and webapplication specific java library path
•	Running a Simple JMS Example
•	Mapping in workers2 properties
•	org apache jasper JasperException
•	Cannot find message resources under key org apache struts action MESSAGE
•	problem with html:text bean throwing exception
•	Cannot find message resources under key org apache struts action MESSAGE
•	invalid direct reference problem with solution
•	Tool for jsp debug Try Sysdeo Eclipse Plugin
•	Tomcat 5 Cannot load JDBC driver class 'null ' SQL state: null
•	weblogic ejbc
•	java properties file
•	Jboss 3 2 3 Coyote Can 't re
•	Tomcat 5, Apache2 and mod jk2 integration problem
•	JBoss example problem new to J2EE
•	url string for connecting jboss to oracle
•	Value attribute of <html:checkbox
•	javax servlet ServletException: BeanUtils populate
•	HTTP Status 404 The requested resource is not available
•	5 0 18: Windows XP Pro vs Windows 2000

form-based authentication & session.invalidate

form-based authentication & session.invalidate

2003-10-12 - By Adam Hardy

Back

Reply: 1 2 3 4 5

Although I've no real idea what an internal tomcat SessionEvent is, it
sounds like it's a bug. Give me the word and I'll enter it in bugzilla.

Adam

On 10/12/2003 01:57 AM Tim Funk wrote:
> Hmm. I always thought that when using the SSO valve, logging out of one
> webapp automatically logs you out of all webapps.
>
> The 5 code looks broken based on *very quick* inspection compared to 4.1
> based on lines 304-308.
>
> if ( event.getData() != null
> && "logout".equals( event.getData().toString() )) {
> // logout of all applications
> deregister(ssoId);
> } else {
> // invalidate just one session
> deregister(ssoId, session);
> }
>
> I haven't been able to locate how logout can be a value in a SessionEvent.
>
>
> -Tim
>
> Adam Hardy wrote:
>
>> I have just figured out that the SSO in JSESSIONIDSSO stands for
>> single-sign-on.
>>
>> I have the following JSP:
>>
>> remote user <%=request.getRemoteUser() %> in
>> session <%= session.getId() %>
>> <%
>> session.invalidate();
>> %>
>>
>> and after doing a login, I saw I got JSESSIONID and JSESSIONIDSSO
>> cookies. I then go to a second site on my tomcat and get a second
>> JSESSIONID without having to do a login coz of SSO.
>>
>> Now going to this page which has the stuff above, and refreshing over
>> and over always showed the following:
>>
>> remote user adam in session EB2543D909D52551EA58C77E963CDD17
>> remote user adam in session EA33F35CCB3D1205A88226029C65939C
>> remote user adam in session 8814C0365D3F0BDD97B1DE9B7EAECD17
>> remote user adam in session 1B7F0424190985F24A294EA2344888C5
>>
>> I see the JSESSIONIDSSO cookie is keeping my remoteUser info active.
>> This shouldn't be the case I'm sure. If I delete the SSO cookie in
>> mozilla, I get a login request on my next request.
>>
>> Also if I only login to one site, even though I get the SSO cookie,
>> when I invalidate the session, I immediately get a login request.
>> Strange.
>>
>> This is not correct behaviour for tomcat, is it?
>>
>> Adam

--
struts 1.1 + tomcat 5.0.12 + java 1.4.2
Linux 2.4.20 RH9

-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ------
To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
For additional commands, e-mail: tomcat-user-help@(protected)