You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2003/04/16 21:19:30 UTC
DO NOT REPLY [Bug 19088] New: -
Session timeout in one webapp cancels all SingleSignOn sessions
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=19088>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=19088
Session timeout in one webapp cancels all SingleSignOn sessions
Summary: Session timeout in one webapp cancels all SingleSignOn
sessions
Product: Tomcat 4
Version: 4.0.4 Final
Platform: All
OS/Version: All
Status: NEW
Severity: Normal
Priority: Other
Component: Catalina
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: patrick_conant@yahoo.com
When a user is logged into multiple webapps via the SingleSignOn valve and a
single one of those webapps' sessions expires, the user has to re-login to the
currently active webapp.
This issue seems to have arisen in revision 1.7 of the file /jakarta-tomcat-
4.0/catalina/src/share/org/apache/catalina/authenticator/SingleSignOn.java.
When a single session expires, the SessionEvent(s) method calls deregister(..)
which cancels out all of the active sessions for a user.
While I agree that there should be a single sign off for this valve, a single
session timeout should not cause a global signout. Take the example of a
person logged into multiple webapps in a portal (say Yahoo mail and chat).
When the user's mail session times out but the chat session is still active,
the user should not be kicked out of chat... But when a user _actively_ signs
out of mail, they should also be signed out of chat.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org