RE: Invalidate and container authentication in multi-app environm ent

["Siggelkow, Bill" <bi...@mirant.com>]

I know in WLS 6, all web apps use the same cookie name, JSESSIONID to hold
the session ID (and thus facilitate single-sign-on). In WLS 6, you can
specify a different cookie name in the weblogic.xml file for that web app if
you don't want the single-sign on behavior (which I think is what you are
seeing).  I suggest you look at the stuff on the edocs.bea.com site or
search the BEA newsgroups if you need further info.

-----Original Message-----
From: Michelle Popovits [mailto:mpopovits@hotmail.com]
Sent: Tuesday, December 18, 2001 4:13 PM
To: struts-user@jakarta.apache.org
Subject: Invalidate and container authentication in multi-app
environment


Hi,

I have been researching the archives trying to resolve an issue.
http://www.mail-archive.com/struts-user@jakarta.apache.org/msg10294.html
http://www.mail-archive.com/struts-user@jakarta.apache.org/msg14538.html

These threads describe my situation pretty closely (although not exactly) 
and the solutions provided have not worked for me.

I will describe the problem here again and hope that someone out there may 
be able to offer advice.

I am attempting to implement a Logout action which will log out the user and

forward them back to the main page of the application.  The main page action

itself is secure and should prompt for authentication before allowing the 
page to be viewed.
In the logout action:
a) invalidate the session
b) forward to the application's main page (redirect=true)

Now, normally if I just log into this application (let's call it Application

A), do stuff, and then log out, the logout is successful and the login page 
appears as expected.

Now, here's the twist.  If I log into another application (let's call it 
Application B) and just change the url (without logging out) to point to 
Application A, log in and then try to log out of Application A, then it does

not log out.  It behaves as though the user was still authenticated.  If I 
log out of Application B before changing the url to point to Application A 
then I am able to log out successfully.

Let's review the scenarios.

Scenario A
- bring up new browser window
- log into 'Application A'
- do stuff in 'Application A'
- log out
- result:  logs out properly.

Scenario B
- bring up new browser window
- log into 'Application B'
- change url, without logging out of 'Application B', to 'Application A'
- log into 'Application A'
- do stuff in 'Application A'
- log out of 'Application A'
- result:  does not log out properly, it should prompt for authentication 
before showing main page, but does not.

Scenario C
- bring up new browser window
- log into 'Application B'
- log out of 'Application B'
- change url to 'Application A'
- log into 'Application A'
- do stuff (ie. go to add page)
- log out of 'Application A'
- result:  logs out properly.


I guess if the users were properly disciplined to log out of their 
application before moving on to another application then this would never be

a problem...but... the world is not so perfect.

Any ideas?  Has anyone encountered this before.

I am running Weblogic 5.1 sp10 using Struts 1.0 release.


Thanks,
Michelle


_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com


--
To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
For additional commands, e-mail:
<ma...@jakarta.apache.org>

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>