You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-user@portals.apache.org by Aaron Evans <aa...@gmail.com> on 2006/03/09 20:51:43 UTC
session data of my portlet app still around after logout
So I seem to recall a posting about this a while back, but couldn't find it.
Anyhow, when I am finding that when I logout of jetspeed, the session
attributes of my portlet application are still available.
I happen to have tomcat SSO turned on, but am not sure if this is what is
causing it.
With the SSO turned on, what *should* happen is that because my session got
invalidated, tomcat SSO should invalidate all other sessions tied to my SSO
parent session.
I solved this problem by changing the logout URI to a URI of my portlet web
app, calling session.invalidate and then redirecting to the jetspeed logout
URI.
I don't think this is a jetspeed problem but rather a tomcat/tomcat SSO
issue, but I was just wondering if others have seen this behaviour.
I am on tomcat 5.5.9...
Re: session data of my portlet app still around after logout
Posted by Aaron Evans <aa...@gmail.com>.
Personally, I think it the desired behavour should be like the tomcat SSO
valve.
What happens there is whenever an application session is terminated, if it
was terminated because of a timeout, then if the parent SSO session has no
other children sessions, then the parent SSO session is also terminated.
However, if there are other children sessions, then just the session that
has just timed out is removed from the SSO parent session, everything else
is left intact. (If the user goes to use that application again, they are
automatically re-authenticated and the session re-instantiated).
However, if it was invalidated (typically because of a logout), then all
children sessions of the parent SSO session are invalidated and finally the
parent session itself is terminated.
But still, no idea what exactly is causing it, and I really doubt it has
anything to do with jetspeed...
On 3/9/06, Jacek Wiślicki <ja...@gmail.com> wrote:
>
> Wiadomosc od Aaron Evans z 2006-03-09 21:52 brzmiala:
>
> > Yeah, you may be right about 'emptySessionPath' set to true. If I turn
> that
> > off, it seems to go away...
> Such a behaviour seems reasonable, as if a user logs-off from one webapp
> (context) he may still be active in another context sharing the same
> HTTP session.
>
> --
> pozdrawiam,
> Jacek Wislicki
>
> jacek.wislicki@gmail.com
> tel.: +48 502 408 444
> gg: 2540358
> skype: jacek_wislicki
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>
>
Re: session data of my portlet app still around after logout
Posted by Jacek Wiślicki <ja...@gmail.com>.
Wiadomosc od Aaron Evans z 2006-03-09 21:52 brzmiala:
> Yeah, you may be right about 'emptySessionPath' set to true. If I turn that
> off, it seems to go away...
Such a behaviour seems reasonable, as if a user logs-off from one webapp
(context) he may still be active in another context sharing the same
HTTP session.
--
pozdrawiam,
Jacek Wislicki
jacek.wislicki@gmail.com
tel.: +48 502 408 444
gg: 2540358
skype: jacek_wislicki
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org
Re: session data of my portlet app still around after logout
Posted by Aaron Evans <aa...@gmail.com>.
Yeah, you may be right about 'emptySessionPath' set to true. If I turn that
off, it seems to go away...
On 3/9/06, Jacek Wiślicki <ja...@gmail.com> wrote:
>
> Wiadomosc od Aaron Evans z 2006-03-09 20:51 brzmiala:
>
> > So I seem to recall a posting about this a while back, but couldn't find
> it.
> >
> > Anyhow, when I am finding that when I logout of jetspeed, the session
> > attributes of my portlet application are still available.
> >
> > I happen to have tomcat SSO turned on, but am not sure if this is what
> is
> > causing it.
> >
> > With the SSO turned on, what *should* happen is that because my session
> got
> > invalidated, tomcat SSO should invalidate all other sessions tied to my
> SSO
> > parent session.
> >
> > I solved this problem by changing the logout URI to a URI of my portlet
> web
> > app, calling session.invalidate and then redirecting to the jetspeed
> logout
> > URI.
> >
> > I don't think this is a jetspeed problem but rather a tomcat/tomcat SSO
> > issue, but I was just wondering if others have seen this behaviour.
> >
> > I am on tomcat 5.5.9...
> I've also noticed this behaviour (Tomcat 5.5.12) without SSO. Session
> indeed is invalidated in Jetspeed LogoutServlet, but some data is still
> held. I'm not sure, but it may be caused by enabling cross-context
> sessions ('emptySessionPath' set to true).
>
> --
> pozdrawiam,
> Jacek Wislicki
>
> jacek.wislicki@gmail.com
> tel.: +48 502 408 444
> gg: 2540358
> skype: jacek_wislicki
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>
>
Re: session data of my portlet app still around after logout
Posted by Jacek Wiślicki <ja...@gmail.com>.
Wiadomosc od Aaron Evans z 2006-03-09 20:51 brzmiala:
> So I seem to recall a posting about this a while back, but couldn't find it.
>
> Anyhow, when I am finding that when I logout of jetspeed, the session
> attributes of my portlet application are still available.
>
> I happen to have tomcat SSO turned on, but am not sure if this is what is
> causing it.
>
> With the SSO turned on, what *should* happen is that because my session got
> invalidated, tomcat SSO should invalidate all other sessions tied to my SSO
> parent session.
>
> I solved this problem by changing the logout URI to a URI of my portlet web
> app, calling session.invalidate and then redirecting to the jetspeed logout
> URI.
>
> I don't think this is a jetspeed problem but rather a tomcat/tomcat SSO
> issue, but I was just wondering if others have seen this behaviour.
>
> I am on tomcat 5.5.9...
I've also noticed this behaviour (Tomcat 5.5.12) without SSO. Session
indeed is invalidated in Jetspeed LogoutServlet, but some data is still
held. I'm not sure, but it may be caused by enabling cross-context
sessions ('emptySessionPath' set to true).
--
pozdrawiam,
Jacek Wislicki
jacek.wislicki@gmail.com
tel.: +48 502 408 444
gg: 2540358
skype: jacek_wislicki
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org