You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2002/05/14 20:19:55 UTC

DO NOT REPLY [Bug 9077] New: - SingleSignOn and session invalidate

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=9077>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=9077

SingleSignOn and session invalidate

           Summary: SingleSignOn and session invalidate
           Product: Tomcat 4
           Version: 4.1.1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Enhancement
          Priority: Other
         Component: Catalina:Modules
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: filipe.mateus@fbn.ca


Considering the SingleSignOn valve is specified in server.xml, suppose I have
two webapps (A and B) running with container-managed security using form
authentication method.  

>From a freshly-started container:

- the user makes a request to webapp A
- the login page specified by <form-login-page> tag in web.xml is displayed
- the user logs in and gets to webapp A
- the user then makes a request to webapp B and keeps working there without
reaching webapp B's session timeout
- during this time, webapp A's session timeout is reached and since SingleSignOn
is used, all webapp sessions attached to the user time out.
- the user is facing a session timeout in webapp B which is innappropriate since
he was actively using it.

I would consider the SingleSignOn behaviour correct if the user would explicitly
click a "logout" link.  Invalidating all his sessions in every webapps would be
correct in this case.  However, the session-timeout case is different because
the user don't understand how his session can timeout if he's currently using
the application.

In the sessionEvent method of SingleSignOn, there should be a way to distinguish
between a session timeout and an explicit logout.

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>