tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dominik Drzewiecki" <drz...@post.pl>
Subject Standard sessions included in the SSO session expire
Date Wed, 03 Aug 2005 10:03:19 GMT
I have a conceptual question wrt the Single Sign On behaviour.

Let's assume there are two applications /app1 and /app2, and there is a SSO 
setup on them both. Now, user logs into the /app1 (which requires 
authentication) and /app2 (which uses SSO Cookie, no authentication then), 
and later on makes use of only one of them (say: /app1) for quite a long 
time, so that this period outlives the session expiry date of the unused 
application (/app2). Provided that both applications establish their own 
sessions the one created in the scope of constantly used application 
(/app1) wouldn't expire, while the second one definitely would. 

Now the question: As both sessions are gathered into a higher-level SSO 
session, would it be against the specification if *all* standard sessions 
were aged (eg. by calling session.access()) on each request containing 
valid SSO cookie? I suggest that there should be a flag on the SSO Valve, 
that is org.apache.catalina.authenticator.SingleSignOn allowing users to 
specify the behaviour. If nobody objects, I could try to provide apropriate 
patch.

cheers,
/dd


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message