On Tue, 28 Jan 2003, shanmugampl wrote:
> Date: Tue, 28 Jan 2003 10:46:13 +0530 > From: shanmugampl <[EMAIL PROTECTED]> > Reply-To: Tomcat Users List <[EMAIL PROTECTED]>, > [EMAIL PROTECTED] > To: Tomcat Users List <[EMAIL PROTECTED]> > Subject: Re: Doubt in Single Sign On !!! > > Yeah, I accept that SSO is for authentication purposes alone. > > My problem is different. Lets us consider the same two contexts A and B. > I authenticate myself at context A. Once i authenticate, a JSESSIONIDSSO > is created and sent as a cookie. The StandardSession object for context > A will be associated to the SSO ID. Now after some time if i move on to > context B, then the StandardSession Object of context B will also be > associated with the SSO ID. If my time out period is 20 minutes and if i > stay in context B alone for more than that time, the session of context > A will be timed out. When this happens, SSO ID will be deregistered and > as a result all the associated sessions will be invalidated. Therefore > at the time of this happening, even if i am actively working in context > B, i will asked to reauthenticate myself. The reason for this design is security. Consider a portal-type application like My Yahoo, which implements their version of single sign on (you don't have to log in to mail, then to games, then to ...). I browse around between the apps, and decide to log out. Should the effect of this logout be global? I would suggest that it should -- you don't want to be in an Internet cafe and log out of one Yahoo app, but forget that you haven't logged out of all the rest. In the servlet world, session timeout logs you out (if you're using form based login). Therefore, it should be (and is) treated the same as an explicit logout by the user. > > This is the reason why i thought that SSO should take care of session > time outs also. If session timeouts are biting you, set longer session timeouts. > > Thanks > Shanmugam.PL Craig -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
