tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: How to serialize user principle
Date Mon, 13 Sep 2010 19:07:23 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

André,

On 9/13/2010 2:21 PM, André Warnier wrote:
> As far as I know, the Tomcat (container-managed) authentication is based
> on the user session

Per the servlet spec, the HttpSession == "user login" for FORM
authentication.

> and the persistence of a session is linked to the
> JSESSIONID cookie which Tomcat sends to the browser; and as far as I
> know this JSESSIONID cookie, by default, only lasts for the duration of
> a web browser session.
> 
> So, independently of whether Tomcat saves and persists the sessions
> across a webapp reload or a Tomcat restart, if the user close and
> re-open their browser, their session will be lost, and so will their
> authentication.

Generally speaking, yes.

> If your goal is that users need to login only once during any day, then
> you should look at some Single-Sign-On mechanism, external to Tomcat.

Or, just change the session expiration time.

I think Mohammad is talking about logins surviving a Tomcat restart
(which they should be able to do, without any additional configuration
from the default).

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkyOdmsACgkQ9CaO5/Lv0PB+3QCeMVV+1Y3tKnKMWLgFBwBki/7T
WYAAoIzSo4hu+GuM5ttfgw/EV7qL9J4Z
=7FyR
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message