Session Timeouts and SSO

["G. Wade Johnson" <wa...@abbnm.com>]

Thanks again for all of the responses so far on my Timeout issue.
I still have a problem, but it is not what I thought it was.

Apparently, there is a <session-timeout/> set to 30 minutes in the
$CATALINA_HOME/conf/web.xml that I have. I don't recall changing this
(but I won't rule out the possibility). I modified that, and found
that I could get the session to expire at the time I specify.

This time, I looked at the cookies that were sent back just before I
get the login screen and found that Tomcat is sending a request to
delete the JSESSIONIDSSO cookie used by the SingleSignon valve.
Apparently, it is this valve and not Tomcat proper that is signing me
out after the timeout period.

Is this expected behavior?

Is there any way for me to work around this behavior?

Thanks again,
G. Wade

Re: Session Timeouts and SSO

["G. Wade Johnson" <wa...@abbnm.com>]

Thanks, Tim.

I kind of remember reading that now. I need to look at my application
more carefully, to determine what is timing out.

G. Wade

Tim Funk wrote:
> 
> http://jakarta.apache.org/tomcat/tomcat-4.1-doc/config/host.html#Single%20Sign%20On
> 
> "As soon as the user logs out of one web application (for example, by
> invalidating or timing out the corresponding session if form based login is
> used), the user's sessions in all  web applications will be invalidated. Any
> subsequent attempt to access a protected resource in any application will
> require the user to authenticate himself or herself again."
> 
> -Tim
> 
> G. Wade Johnson wrote:
> 
> > Thanks again for all of the responses so far on my Timeout issue.
> > I still have a problem, but it is not what I thought it was.
> >
> > Apparently, there is a <session-timeout/> set to 30 minutes in the
> > $CATALINA_HOME/conf/web.xml that I have. I don't recall changing this
> > (but I won't rule out the possibility). I modified that, and found
> > that I could get the session to expire at the time I specify.
> >
> > This time, I looked at the cookies that were sent back just before I
> > get the login screen and found that Tomcat is sending a request to
> > delete the JSESSIONIDSSO cookie used by the SingleSignon valve.
> > Apparently, it is this valve and not Tomcat proper that is signing me
> > out after the timeout period.
> >
> > Is this expected behavior?
> >
> > Is there any way for me to work around this behavior?
> >
> > Thanks again,
> > G. Wade
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: Session Timeouts and SSO

[Tim Funk <fu...@joedog.org>]

http://jakarta.apache.org/tomcat/tomcat-4.1-doc/config/host.html#Single%20Sign%20On

"As soon as the user logs out of one web application (for example, by 
invalidating or timing out the corresponding session if form based login is 
used), the user's sessions in all  web applications will be invalidated. Any 
subsequent attempt to access a protected resource in any application will 
require the user to authenticate himself or herself again."

-Tim

G. Wade Johnson wrote:

> Thanks again for all of the responses so far on my Timeout issue.
> I still have a problem, but it is not what I thought it was.
> 
> Apparently, there is a <session-timeout/> set to 30 minutes in the
> $CATALINA_HOME/conf/web.xml that I have. I don't recall changing this
> (but I won't rule out the possibility). I modified that, and found
> that I could get the session to expire at the time I specify.
> 
> This time, I looked at the cookies that were sent back just before I
> get the login screen and found that Tomcat is sending a request to
> delete the JSESSIONIDSSO cookie used by the SingleSignon valve.
> Apparently, it is this valve and not Tomcat proper that is signing me
> out after the timeout period.
> 
> Is this expected behavior?
> 
> Is there any way for me to work around this behavior?
> 
> Thanks again,
> G. Wade