You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Adam Hardy <ah...@cyberspaceroad.com> on 2003/10/11 17:55:04 UTC
form-based authentication & session.invalidate
I am using session.invalidate() to try to cause the user to receive
another login request, using CMS form-based authentication.
I saw the same issue in bugzilla but for basic authentication:
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12147
where the tomcat developer/bugzilla person resolved the issue saying
that CMS basic authentication cannot be manipulated in this way since
the browser sends the login info with every request, requiring the user
to close the browser before seeing another login request.
Is this the same for form-based authentication?
I thought that in tomcat4 I was getting new login request for the users
just by invalidating their sessions. Am I deluding myself?
Thanks
Adam
--
struts 1.1 + tomcat 5.0.12 + java 1.4.2
Linux 2.4.20 RH9
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: form-based authentication & session.invalidate
Posted by Adam Hardy <ah...@cyberspaceroad.com>.
Although I've no real idea what an internal tomcat SessionEvent is, it
sounds like it's a bug. Give me the word and I'll enter it in bugzilla.
Adam
On 10/12/2003 01:57 AM Tim Funk wrote:
> Hmm. I always thought that when using the SSO valve, logging out of one
> webapp automatically logs you out of all webapps.
>
> The 5 code looks broken based on *very quick* inspection compared to 4.1
> based on lines 304-308.
>
> if ( event.getData() != null
> && "logout".equals( event.getData().toString() )) {
> // logout of all applications
> deregister(ssoId);
> } else {
> // invalidate just one session
> deregister(ssoId, session);
> }
>
> I haven't been able to locate how logout can be a value in a SessionEvent.
>
>
> -Tim
>
> Adam Hardy wrote:
>
>> I have just figured out that the SSO in JSESSIONIDSSO stands for
>> single-sign-on.
>>
>> I have the following JSP:
>>
>> remote user <%=request.getRemoteUser() %> in
>> session <%= session.getId() %>
>> <%
>> session.invalidate();
>> %>
>>
>> and after doing a login, I saw I got JSESSIONID and JSESSIONIDSSO
>> cookies. I then go to a second site on my tomcat and get a second
>> JSESSIONID without having to do a login coz of SSO.
>>
>> Now going to this page which has the stuff above, and refreshing over
>> and over always showed the following:
>>
>> remote user adam in session EB2543D909D52551EA58C77E963CDD17
>> remote user adam in session EA33F35CCB3D1205A88226029C65939C
>> remote user adam in session 8814C0365D3F0BDD97B1DE9B7EAECD17
>> remote user adam in session 1B7F0424190985F24A294EA2344888C5
>>
>> I see the JSESSIONIDSSO cookie is keeping my remoteUser info active.
>> This shouldn't be the case I'm sure. If I delete the SSO cookie in
>> mozilla, I get a login request on my next request.
>>
>> Also if I only login to one site, even though I get the SSO cookie,
>> when I invalidate the session, I immediately get a login request.
>> Strange.
>>
>> This is not correct behaviour for tomcat, is it?
>>
>> Adam
--
struts 1.1 + tomcat 5.0.12 + java 1.4.2
Linux 2.4.20 RH9
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: form-based authentication & session.invalidate
Posted by Tim Funk <fu...@joedog.org>.
Hmm. I always thought that when using the SSO valve, logging out of one
webapp automatically logs you out of all webapps.
The 5 code looks broken based on *very quick* inspection compared to 4.1
based on lines 304-308.
if ( event.getData() != null
&& "logout".equals( event.getData().toString() )) {
// logout of all applications
deregister(ssoId);
} else {
// invalidate just one session
deregister(ssoId, session);
}
I haven't been able to locate how logout can be a value in a SessionEvent.
-Tim
Adam Hardy wrote:
> I have just figured out that the SSO in JSESSIONIDSSO stands for
> single-sign-on.
>
> I have the following JSP:
>
> remote user <%=request.getRemoteUser() %> in
> session <%= session.getId() %>
> <%
> session.invalidate();
> %>
>
> and after doing a login, I saw I got JSESSIONID and JSESSIONIDSSO
> cookies. I then go to a second site on my tomcat and get a second
> JSESSIONID without having to do a login coz of SSO.
>
> Now going to this page which has the stuff above, and refreshing over
> and over always showed the following:
>
> remote user adam in session EB2543D909D52551EA58C77E963CDD17
> remote user adam in session EA33F35CCB3D1205A88226029C65939C
> remote user adam in session 8814C0365D3F0BDD97B1DE9B7EAECD17
> remote user adam in session 1B7F0424190985F24A294EA2344888C5
>
> I see the JSESSIONIDSSO cookie is keeping my remoteUser info active.
> This shouldn't be the case I'm sure. If I delete the SSO cookie in
> mozilla, I get a login request on my next request.
>
> Also if I only login to one site, even though I get the SSO cookie, when
> I invalidate the session, I immediately get a login request. Strange.
>
> This is not correct behaviour for tomcat, is it?
>
> Adam
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: form-based authentication & session.invalidate
Posted by Adam Hardy <ah...@cyberspaceroad.com>.
I have just figured out that the SSO in JSESSIONIDSSO stands for
single-sign-on.
I have the following JSP:
remote user <%=request.getRemoteUser() %> in
session <%= session.getId() %>
<%
session.invalidate();
%>
and after doing a login, I saw I got JSESSIONID and JSESSIONIDSSO
cookies. I then go to a second site on my tomcat and get a second
JSESSIONID without having to do a login coz of SSO.
Now going to this page which has the stuff above, and refreshing over
and over always showed the following:
remote user adam in session EB2543D909D52551EA58C77E963CDD17
remote user adam in session EA33F35CCB3D1205A88226029C65939C
remote user adam in session 8814C0365D3F0BDD97B1DE9B7EAECD17
remote user adam in session 1B7F0424190985F24A294EA2344888C5
I see the JSESSIONIDSSO cookie is keeping my remoteUser info active.
This shouldn't be the case I'm sure. If I delete the SSO cookie in
mozilla, I get a login request on my next request.
Also if I only login to one site, even though I get the SSO cookie, when
I invalidate the session, I immediately get a login request. Strange.
This is not correct behaviour for tomcat, is it?
Adam
On 10/11/2003 06:04 PM Tim Funk wrote:
> Authentication information is somewhat stored in the session for form
> based authentication. (I can't remember the specifics) So using
> session.invalidate should log the user out. This works since the session
> id which is a cookie or URL rewriting scheme is what the browser keys in
> on. By invalidating that id on the server, the browser is now sending an
> invalid credential and thus logged out.
>
> In BASIC authentication, the credentials are stored in the web browser
> and sent when/if requested. So the only way to get rid of those stored
> credentials is by closing the web browser.
>
> [Of course, when the web server is restarted or web app restarted - I
> can't recall what happens to the authentication information. ]
>
> -Tim
>
> Adam Hardy wrote:
>
>> I am using session.invalidate() to try to cause the user to receive
>> another login request, using CMS form-based authentication.
>>
>> I saw the same issue in bugzilla but for basic authentication:
>>
>> http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12147
>>
>> where the tomcat developer/bugzilla person resolved the issue saying
>> that CMS basic authentication cannot be manipulated in this way since
>> the browser sends the login info with every request, requiring the
>> user to close the browser before seeing another login request.
>>
>> Is this the same for form-based authentication?
>>
>> I thought that in tomcat4 I was getting new login request for the
>> users just by invalidating their sessions. Am I deluding myself?
--
struts 1.1 + tomcat 5.0.12 + java 1.4.2
Linux 2.4.20 RH9
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: form-based authentication & session.invalidate
Posted by Tim Funk <fu...@joedog.org>.
Authentication information is somewhat stored in the session for form based
authentication. (I can't remember the specifics) So using session.invalidate
should log the user out. This works since the session id which is a cookie or
URL rewriting scheme is what the browser keys in on. By invalidating that id
on the server, the browser is now sending an invalid credential and thus
logged out.
In BASIC authentication, the credentials are stored in the web browser and
sent when/if requested. So the only way to get rid of those stored
credentials is by closing the web browser.
[Of course, when the web server is restarted or web app restarted - I can't
recall what happens to the authentication information. ]
-Tim
Adam Hardy wrote:
> I am using session.invalidate() to try to cause the user to receive
> another login request, using CMS form-based authentication.
>
> I saw the same issue in bugzilla but for basic authentication:
>
> http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12147
>
> where the tomcat developer/bugzilla person resolved the issue saying
> that CMS basic authentication cannot be manipulated in this way since
> the browser sends the login info with every request, requiring the user
> to close the browser before seeing another login request.
>
> Is this the same for form-based authentication?
>
> I thought that in tomcat4 I was getting new login request for the users
> just by invalidating their sessions. Am I deluding myself?
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org