tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Luehe <Jan.Lu...@Sun.COM>
Subject Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenti cator
Date Tue, 21 Sep 2004 01:59:25 GMT
Brian Stansberry wrote:
> Hi Jan,
>>> At 11:02 PM 9/20/2004 +0000, you wrote:
>>>> luehe       2004/09/16 11:18:41
>>>>  Modified:    catalina/src/share/org/apache/catalina/authenticator
>>>>  Log:
>>>>  - Removed deregister(String ssoid), because it is no longer needed
>>>>    (used to be called when session was logged out, which is no longer
>>>>    supported)
>>> I'm not sure what you meant here by "no longer supported."  Do you 
>>> mean the cross-webapp signout feature that deregister(String ssoid) 
>>> provided, or has there been some more fundamental change in TC's 
>>> handling of HttpSession.invalidate()?
>> I was referring to the removal of 
>> javax.servlet.http.HttpSession.logout(),
>> which had been added temporarily to Servlet 2.4 and was later removed
>> before the spec went final. See this log entry in the history of
>> javax.servlet.http.HttpSession:
>>   revision 1.3
>>   date: 2003/04/07 21:27:36;  author: jfarcand;  state: Exp;  lines: +0
>>   -15
>>   As required by the upcoming Servlet spec 2.4 PFD 3, remove the
>>   logout() method.
>> This method was the only method that generated a SessionEvent of
>> type SESSION_DESTROYED_EVENT with event data equal to "logout", which
>> used to invalidate all remaining sessions (if any) associated with
>> the SingleSignOn entry.
> The code in sessionEvent() that checked the session's last accessed time 
> was intended as a workaround to try to discriminate timeouts from 
> intentional logouts after the logout() method was removed from the 
> spec.  It was applied as a fix to bug 9077, which complained about the 
> SSO valve not invalidating related sessions.  The CVS logs for 
> revs 1.7 and 1.11 touch on this and there was also 
> some discussion on the dev list last Nov 24.  I'm curious as to why this 
> is no longer supported.

OK, my bad. I've restored the previous version. Maybe 
SessionEvent.getData() could have differentiated between session
expiration and session invalidation, so we would not have to determine
the cause of the SESSION_DESTROYED_EVENT by comparing
getLastAccessedTime() and getMaxInactiveInterval()?

In any case, as a result of this, I am going to restore this bullet in 
the Single Sign-On documentation, after removing the part marked by
[REMOVE ...]:

   "As soon as the user logs out of one web application (for example, by
   invalidating [REMOVE: or timing out] the corresponding session if form
   based login is used), the user's sessions in all web applications will
   be invalidated. Any subsequent attempt to access a protected resource
   in any application will require the user to authenticate himself or
   herself again."



> Could a config parameter be added to the valve 
> to allow this behavior?
> _________________________________________________________________
> STOP MORE SPAM with the new MSN 8 and get 2 months FREE* 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message