tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <craig...@apache.org>
Subject Re: Doubt in Single Sign On !!!
Date Tue, 28 Jan 2003 21:04:28 GMT


On Tue, 28 Jan 2003, shanmugampl wrote:

> Date: Tue, 28 Jan 2003 10:46:13 +0530
> From: shanmugampl <shanmugampl@india.adventnet.com>
> Reply-To: Tomcat Users List <tomcat-user@jakarta.apache.org>,
>      shanmugampl@india.adventnet.com
> To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> Subject: Re: Doubt in Single Sign On !!!
>
> Yeah, I accept that SSO is for authentication purposes alone.
>
> My problem is different. Lets us consider the same two contexts A and B.
> I authenticate myself at context A. Once i authenticate, a JSESSIONIDSSO
> is created and sent as a cookie. The StandardSession object for context
> A will be associated to the SSO ID. Now after some time if i move on to
> context B, then the StandardSession Object of context B will also be
> associated with the SSO ID. If my time out period is 20 minutes and if i
> stay in context B alone for more than that time, the session of context
> A will be timed out. When this happens, SSO ID will be deregistered and
> as a result all the associated sessions will be invalidated. Therefore
> at the time of this happening, even if i am actively working in context
> B, i will asked to reauthenticate myself.

The reason for this design is security.

Consider a portal-type application like My Yahoo, which implements their
version of single sign on (you don't have to log in to mail, then to
games, then to ...).  I browse around between the apps, and decide to log
out.  Should the effect of this logout be global?  I would suggest that it
should -- you don't want to be in an Internet cafe and log out of one
Yahoo app, but forget that you haven't logged out of all the rest.

In the servlet world, session timeout logs you out (if you're using form
based login).  Therefore, it should be (and is) treated the same as an
explicit logout by the user.

>
> This is the reason why i thought  that SSO should take care of session
> time outs also.

If session timeouts are biting you, set longer session timeouts.

>
> Thanks
> Shanmugam.PL

Craig


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message