tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Hardy <ahardy.str...@cyberspaceroad.com>
Subject Re: form-based authentication & session.invalidate
Date Sun, 12 Oct 2003 19:27:35 GMT
Although I've no real idea what an internal tomcat SessionEvent is, it 
sounds like it's a bug. Give me the word and I'll enter it in bugzilla.

Adam

On 10/12/2003 01:57 AM Tim Funk wrote:
> Hmm. I always thought that when using the SSO valve, logging out of one 
> webapp automatically logs you out of all webapps.
> 
> The 5 code looks broken based on *very quick* inspection compared to 4.1 
> based on lines 304-308.
> 
>         if ( event.getData() != null
>              && "logout".equals( event.getData().toString() )) {
>             // logout of all applications
>             deregister(ssoId);
>         } else {
>             // invalidate just one session
>             deregister(ssoId, session);
>         }
> 
> I haven't been able to locate how logout can be a value in a SessionEvent.
> 
> 
> -Tim
> 
> Adam Hardy wrote:
> 
>> I have just figured out that the SSO in JSESSIONIDSSO stands for 
>> single-sign-on.
>>
>> I have the following JSP:
>>
>> remote user <%=request.getRemoteUser() %> in
>> session <%= session.getId() %>
>> <%
>> session.invalidate();
>> %>
>>
>> and after doing a login, I saw I got JSESSIONID and JSESSIONIDSSO 
>> cookies. I then go to a second site on my tomcat and get a second 
>> JSESSIONID without having to do a login coz of SSO.
>>
>> Now going to this page which has the stuff above, and refreshing over 
>> and over always showed the following:
>>
>> remote user adam in session EB2543D909D52551EA58C77E963CDD17
>> remote user adam in session EA33F35CCB3D1205A88226029C65939C
>> remote user adam in session 8814C0365D3F0BDD97B1DE9B7EAECD17
>> remote user adam in session 1B7F0424190985F24A294EA2344888C5
>>
>> I see the JSESSIONIDSSO cookie is keeping my remoteUser info active. 
>> This shouldn't be the case I'm sure. If I delete the SSO cookie in 
>> mozilla, I get a login request on my next request.
>>
>> Also if I only login to one site, even though I get the SSO cookie, 
>> when I invalidate the session, I immediately get a login request. 
>> Strange.
>>
>> This is not correct behaviour for tomcat, is it?
>>
>> Adam


-- 
struts 1.1 + tomcat 5.0.12 + java 1.4.2
Linux 2.4.20 RH9


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message