tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Will Hartung" <>
Subject Re: Doubt in Single Sign On !!!
Date Tue, 28 Jan 2003 21:32:46 GMT
> From: "Craig R. McClanahan" <>
> Sent: Tuesday, January 28, 2003 1:04 PM
> Subject: Re: Doubt in Single Sign On !!!

> The reason for this design is security.
> Consider a portal-type application like My Yahoo, which implements their
> version of single sign on (you don't have to log in to mail, then to
> games, then to ...).  I browse around between the apps, and decide to log
> out.  Should the effect of this logout be global?  I would suggest that it
> should -- you don't want to be in an Internet cafe and log out of one
> Yahoo app, but forget that you haven't logged out of all the rest.

All well and good, but it seems to me that the problem that is being
described here is that the sessions of each application have their own
distinct timers, rather than a global timer for the single-sign-on session.

Using Yahoo as an example, and, say, a 15 minute timeout, it would a fair
expectation that if I log in to Yahoo, go read my mail, and then go and play
Yahoo Cribbage for 30 minutes, then I would expect at the end of my last
game to be able to pop back over to Yahoo Mail and still be authenticated.

What is being described here sounds as if in this contrived example that the
Yahoo Mail will time out in 15 minutes because it wasn't accessed, even
though I was still "logged in" and active over on Yahoo Games.

> In the servlet world, session timeout logs you out (if you're using form
> based login).  Therefore, it should be (and is) treated the same as an
> explicit logout by the user.

Of course. The difficulty here is that the actual application sessions
perhaps needs some kind of tie to the overall master single-sign on session,
and not timeout until the SSO session times out.


Will Hartung

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message