The 5 code looks broken based on *very quick* inspection compared to 4.1 based on lines 304-308.
if ( event.getData() != null && "logout".equals( event.getData().toString() )) { // logout of all applications deregister(ssoId); } else { // invalidate just one session deregister(ssoId, session); }
I haven't been able to locate how logout can be a value in a SessionEvent.
-Tim
Adam Hardy wrote:
I have just figured out that the SSO in JSESSIONIDSSO stands for single-sign-on.
I have the following JSP:
remote user <%=request.getRemoteUser() %> in session <%= session.getId() %> <% session.invalidate(); %>
and after doing a login, I saw I got JSESSIONID and JSESSIONIDSSO cookies. I then go to a second site on my tomcat and get a second JSESSIONID without having to do a login coz of SSO.
Now going to this page which has the stuff above, and refreshing over and over always showed the following:
remote user adam in session EB2543D909D52551EA58C77E963CDD17 remote user adam in session EA33F35CCB3D1205A88226029C65939C remote user adam in session 8814C0365D3F0BDD97B1DE9B7EAECD17 remote user adam in session 1B7F0424190985F24A294EA2344888C5
I see the JSESSIONIDSSO cookie is keeping my remoteUser info active. This shouldn't be the case I'm sure. If I delete the SSO cookie in mozilla, I get a login request on my next request.
Also if I only login to one site, even though I get the SSO cookie, when I invalidate the session, I immediately get a login request. Strange.
This is not correct behaviour for tomcat, is it?
Adam
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]