Adam
On 10/12/2003 01:57 AM Tim Funk wrote:
Hmm. I always thought that when using the SSO valve, logging out of one webapp automatically logs you out of all webapps.
The 5 code looks broken based on *very quick* inspection compared to 4.1 based on lines 304-308.
if ( event.getData() != null && "logout".equals( event.getData().toString() )) { // logout of all applications deregister(ssoId); } else { // invalidate just one session deregister(ssoId, session); }
I haven't been able to locate how logout can be a value in a SessionEvent.
-Tim
Adam Hardy wrote:
I have just figured out that the SSO in JSESSIONIDSSO stands for single-sign-on.
I have the following JSP:
remote user <%=request.getRemoteUser() %> in session <%= session.getId() %> <% session.invalidate(); %>
and after doing a login, I saw I got JSESSIONID and JSESSIONIDSSO cookies. I then go to a second site on my tomcat and get a second JSESSIONID without having to do a login coz of SSO.
Now going to this page which has the stuff above, and refreshing over and over always showed the following:
remote user adam in session EB2543D909D52551EA58C77E963CDD17 remote user adam in session EA33F35CCB3D1205A88226029C65939C remote user adam in session 8814C0365D3F0BDD97B1DE9B7EAECD17 remote user adam in session 1B7F0424190985F24A294EA2344888C5
I see the JSESSIONIDSSO cookie is keeping my remoteUser info active. This shouldn't be the case I'm sure. If I delete the SSO cookie in mozilla, I get a login request on my next request.
Also if I only login to one site, even though I get the SSO cookie, when I invalidate the session, I immediately get a login request. Strange.
This is not correct behaviour for tomcat, is it?
Adam
-- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
