Return-Path: Delivered-To: apmail-jakarta-tomcat-user-archive@apache.org Received: (qmail 48689 invoked from network); 28 Jan 2003 21:30:27 -0000 Received: from exchange.sun.com (192.18.33.10) by daedalus.apache.org with SMTP; 28 Jan 2003 21:30:27 -0000 Received: (qmail 7421 invoked by uid 97); 28 Jan 2003 21:30:47 -0000 Delivered-To: qmlist-jakarta-archive-tomcat-user@nagoya.apache.org Received: (qmail 7383 invoked by uid 97); 28 Jan 2003 21:30:46 -0000 Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Users List" Reply-To: "Tomcat Users List" Delivered-To: mailing list tomcat-user@jakarta.apache.org Received: (qmail 7120 invoked by uid 98); 28 Jan 2003 21:30:40 -0000 X-Antivirus: nagoya (v4218 created Aug 14 2002) Message-ID: <009901c2c714$ccce9840$01000001@Will> From: "Will Hartung" To: "Tomcat Users List" References: <20030128130142.V17734-100000@icarus.apache.org> Subject: Re: Doubt in Single Sign On !!! Date: Tue, 28 Jan 2003 13:32:46 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 X-OriginalArrivalTime: 28 Jan 2003 21:27:35.0828 (UTC) FILETIME=[13625540:01C2C714] X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N > From: "Craig R. McClanahan" > Sent: Tuesday, January 28, 2003 1:04 PM > Subject: Re: Doubt in Single Sign On !!! > The reason for this design is security. > > Consider a portal-type application like My Yahoo, which implements their > version of single sign on (you don't have to log in to mail, then to > games, then to ...). I browse around between the apps, and decide to log > out. Should the effect of this logout be global? I would suggest that it > should -- you don't want to be in an Internet cafe and log out of one > Yahoo app, but forget that you haven't logged out of all the rest. All well and good, but it seems to me that the problem that is being described here is that the sessions of each application have their own distinct timers, rather than a global timer for the single-sign-on session. Using Yahoo as an example, and, say, a 15 minute timeout, it would a fair expectation that if I log in to Yahoo, go read my mail, and then go and play Yahoo Cribbage for 30 minutes, then I would expect at the end of my last game to be able to pop back over to Yahoo Mail and still be authenticated. What is being described here sounds as if in this contrived example that the Yahoo Mail will time out in 15 minutes because it wasn't accessed, even though I was still "logged in" and active over on Yahoo Games. > In the servlet world, session timeout logs you out (if you're using form > based login). Therefore, it should be (and is) treated the same as an > explicit logout by the user. Of course. The difficulty here is that the actual application sessions perhaps needs some kind of tie to the overall master single-sign on session, and not timeout until the SSO session times out. Regards, Will Hartung (willh@msoft.com) -- To unsubscribe, e-mail: For additional commands, e-mail: