tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: Doubt in Single Sign On !!!
Date Tue, 28 Jan 2003 22:01:44 GMT

On Tue, 28 Jan 2003, Will Hartung wrote:

> Date: Tue, 28 Jan 2003 13:32:46 -0800
> From: Will Hartung <>
> Reply-To: Tomcat Users List <>
> To: Tomcat Users List <>
> Subject: Re: Doubt in Single Sign On !!!
> > From: "Craig R. McClanahan" <>
> > Sent: Tuesday, January 28, 2003 1:04 PM
> > Subject: Re: Doubt in Single Sign On !!!
> > The reason for this design is security.
> >
> > Consider a portal-type application like My Yahoo, which implements their
> > version of single sign on (you don't have to log in to mail, then to
> > games, then to ...).  I browse around between the apps, and decide to log
> > out.  Should the effect of this logout be global?  I would suggest that it
> > should -- you don't want to be in an Internet cafe and log out of one
> > Yahoo app, but forget that you haven't logged out of all the rest.
> All well and good, but it seems to me that the problem that is being
> described here is that the sessions of each application have their own
> distinct timers, rather than a global timer for the single-sign-on session.

True ... there is no such thing as a cross-application session defined in
the servlet spec.

> Using Yahoo as an example, and, say, a 15 minute timeout, it would a fair
> expectation that if I log in to Yahoo, go read my mail, and then go and play
> Yahoo Cribbage for 30 minutes, then I would expect at the end of my last
> game to be able to pop back over to Yahoo Mail and still be authenticated.
> What is being described here sounds as if in this contrived example that the
> Yahoo Mail will time out in 15 minutes because it wasn't accessed, even
> though I was still "logged in" and active over on Yahoo Games.
> > In the servlet world, session timeout logs you out (if you're using form
> > based login).  Therefore, it should be (and is) treated the same as an
> > explicit logout by the user.
> Of course. The difficulty here is that the actual application sessions
> perhaps needs some kind of tie to the overall master single-sign on session,
> and not timeout until the SSO session times out.

You're outside the bounds of the servlet spec when you talk about this,
but nothing stops a container from providing something like it.

> Regards,
> Will Hartung
> (


To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message