You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2002/05/14 20:19:55 UTC
DO NOT REPLY [Bug 9077] New: -
SingleSignOn and session invalidate
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=9077>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=9077
SingleSignOn and session invalidate
Summary: SingleSignOn and session invalidate
Product: Tomcat 4
Version: 4.1.1
Platform: All
OS/Version: All
Status: NEW
Severity: Enhancement
Priority: Other
Component: Catalina:Modules
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: filipe.mateus@fbn.ca
Considering the SingleSignOn valve is specified in server.xml, suppose I have
two webapps (A and B) running with container-managed security using form
authentication method.
>From a freshly-started container:
- the user makes a request to webapp A
- the login page specified by <form-login-page> tag in web.xml is displayed
- the user logs in and gets to webapp A
- the user then makes a request to webapp B and keeps working there without
reaching webapp B's session timeout
- during this time, webapp A's session timeout is reached and since SingleSignOn
is used, all webapp sessions attached to the user time out.
- the user is facing a session timeout in webapp B which is innappropriate since
he was actively using it.
I would consider the SingleSignOn behaviour correct if the user would explicitly
click a "logout" link. Invalidating all his sessions in every webapps would be
correct in this case. However, the session-timeout case is different because
the user don't understand how his session can timeout if he's currently using
the application.
In the sessionEvent method of SingleSignOn, there should be a way to distinguish
between a session timeout and an explicit logout.
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>