tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Stansberry" <b_stansbe...@hotmail.com>
Subject Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenti cator SingleSignOn.java
Date Mon, 20 Sep 2004 23:03:54 GMT
Hi Jan,


>>At 11:02 PM 9/20/2004 +0000, you wrote:
>>
>>>luehe       2004/09/16 11:18:41
>>>
>>>  Modified:    catalina/src/share/org/apache/catalina/authenticator
>>>                        SingleSignOn.java
>>>  Log:
>>>  - Removed deregister(String ssoid), because it is no longer needed
>>>    (used to be called when session was logged out, which is no longer
>>>    supported)
>>>
>>
>>I'm not sure what you meant here by "no longer supported."  Do you mean 
>>the cross-webapp signout feature that deregister(String ssoid) provided, 
>>or has there been some more fundamental change in TC's handling of 
>>HttpSession.invalidate()?
>
>I was referring to the removal of javax.servlet.http.HttpSession.logout(),
>which had been added temporarily to Servlet 2.4 and was later removed
>before the spec went final. See this log entry in the history of
>javax.servlet.http.HttpSession:
>
>   revision 1.3
>   date: 2003/04/07 21:27:36;  author: jfarcand;  state: Exp;  lines: +0
>   -15
>   As required by the upcoming Servlet spec 2.4 PFD 3, remove the
>   logout() method.
>
>This method was the only method that generated a SessionEvent of
>type SESSION_DESTROYED_EVENT with event data equal to "logout", which
>used to invalidate all remaining sessions (if any) associated with
>the SingleSignOn entry.

The code in sessionEvent() that checked the session's last accessed time was 
intended as a workaround to try to discriminate timeouts from intentional 
logouts after the logout() method was removed from the spec.  It was applied 
as a fix to bug 9077, which complained about the SSO valve not invalidating 
related sessions.  The CVS logs for SingleSignOn.java revs 1.7 and 1.11 
touch on this and there was also some discussion on the dev list last Nov 
24.  I'm curious as to why this is no longer supported.  Could a config 
parameter be added to the valve to allow this behavior?

_________________________________________________________________
STOP MORE SPAM with the new MSN 8 and get 2 months FREE* 
http://join.msn.com/?page=features/junkmail


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message