RE: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenti cator SingleSignOnEntry.java AuthenticatorBase.java BasicAuthenticator.java DigestAuthenticator.java FormAuthenticator.java NonLoginAuthenticator.java SSLAuthentic

["Nelson, Luke" <Lu...@itssiemens.com>]

I have tried applying the patch, and I found three problems with it.
First, its removal of a session from the SingleSignOnEntry object causes
an IndexOutOfBounds exception.  Second, the method for determining
whether the user explicitly logged out or whether a session timed out
doesn't scale one of the numbers correctly (i.e. comparing millisecond
values to seconds).  I have fixed the patch, but I don't have a diff of
it yet (I'm new to helping with this project).  Finally, the patch
doesn't synchronize on 'reverse' when removing an entry from it.

The only other issue that I have with this patch is that if someone
explicitly logged out at the same instant that the session timed out,
the user may not be logged out of all of the applications.  It is an
unlikely scenario, but still a dangerous one.  This is why it is better
for the session object, when firing the destroyed event, to indicate
whether it was destroyed by timeout or explicit invalidation.

Luke

-----Original Message-----
From: Brian Stansberry [mailto:brian_stansberry@wanconcepts.com] 
Sent: Monday, November 24, 2003 10:43 AM
To: Tomcat Developers List
Subject: Re: cvs commit:
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenti
cator SingleSignOnEntry.java AuthenticatorBase.java
BasicAuthenticator.java DigestAuthenticator.java FormAuthenticator.java
NonLoginAuthenticator.java SSLAuthentic

At 06:15 PM 11/24/2003 +0100, you wrote:
>Tim Funk wrote:
>
>>This means that the "logout" check is now back in, the revert from 1.6
-> 1.7 for bug http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23764
>>Diff link:
>>http://cvs.apache.org/viewcvs.cgi/jakarta-tomcat-catalina/catalina/src
/share/org/apache/catalina/authenticator/SingleSignOn.java.diff?r1=1.6&r
2=1.7&diff_format=h 
>>Just an FYI, at this point, I don't know if that is good, bad, or
neither.
>
>That's true.
>Maybe Brian can explain why he removed this (otherwise, I'll reapply
the fix).

No, my mistake. It didn't intend to change anything related to session
invalidation and didn't notice it in the diff.  :(

Since the "logout" feature no longer is there, this means bug 9077 still
applies to TC5.  Is anyone aware of any issue with the proposed patch
attached to that bug?


Brian Stansberry
WAN Concepts, Inc.
www.wanconcepts.com
Tel:    (510) 894-0114 x 116
Fax:    (510) 797-3005 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org