tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Hardy <>
Subject Re: form-based authentication & session.invalidate
Date Sat, 11 Oct 2003 20:45:01 GMT
I have just figured out that the SSO in JSESSIONIDSSO stands for 

I have the following JSP:

remote user <%=request.getRemoteUser() %> in
session <%= session.getId() %>

and after doing a login, I saw I got JSESSIONID and JSESSIONIDSSO 
cookies. I then go to a second site on my tomcat and get a second 
JSESSIONID without having to do a login coz of SSO.

Now going to this page which has the stuff above, and refreshing over 
and over always showed the following:

remote user adam in session EB2543D909D52551EA58C77E963CDD17
remote user adam in session EA33F35CCB3D1205A88226029C65939C
remote user adam in session 8814C0365D3F0BDD97B1DE9B7EAECD17
remote user adam in session 1B7F0424190985F24A294EA2344888C5

I see the JSESSIONIDSSO cookie is keeping my remoteUser info active. 
This shouldn't be the case I'm sure. If I delete the SSO cookie in 
mozilla, I get a login request on my next request.

Also if I only login to one site, even though I get the SSO cookie, when 
I invalidate the session, I immediately get a login request. Strange.

This is not correct behaviour for tomcat, is it?


On 10/11/2003 06:04 PM Tim Funk wrote:
> Authentication information is somewhat stored in the session for form 
> based authentication. (I can't remember the specifics) So using 
> session.invalidate should log the user out. This works since the session 
> id which is a cookie or URL rewriting scheme is what the browser keys in 
> on. By invalidating that id on the server, the browser is now sending an 
> invalid credential and thus logged out.
> In BASIC authentication, the credentials are stored in the web browser 
> and sent when/if requested. So the only way to get rid of those stored 
> credentials is by closing the web browser.
> [Of course, when the web server is restarted or web app restarted - I 
> can't recall what happens to the authentication information. ]
> -Tim
> Adam Hardy wrote:
>> I am using session.invalidate() to try to cause the user to receive 
>> another login request, using CMS form-based authentication.
>> I saw the same issue in bugzilla but for basic authentication:
>> where the tomcat developer/bugzilla person resolved the issue saying 
>> that CMS basic authentication cannot be manipulated in this way since 
>> the browser sends the login info with every request, requiring the 
>> user to close the browser before seeing another login request.
>> Is this the same for form-based authentication?
>> I thought that in tomcat4 I was getting new login request for the 
>> users just by invalidating their sessions. Am I deluding myself?

struts 1.1 + tomcat 5.0.12 + java 1.4.2
Linux 2.4.20 RH9

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message