On Tue, 28 Jan 2003, Will Hartung wrote:
> Date: Tue, 28 Jan 2003 13:32:46 -0800 > From: Will Hartung <[EMAIL PROTECTED]> > Reply-To: Tomcat Users List <[EMAIL PROTECTED]> > To: Tomcat Users List <[EMAIL PROTECTED]> > Subject: Re: Doubt in Single Sign On !!! > > > From: "Craig R. McClanahan" <[EMAIL PROTECTED]> > > Sent: Tuesday, January 28, 2003 1:04 PM > > Subject: Re: Doubt in Single Sign On !!! > > > > The reason for this design is security. > > > > Consider a portal-type application like My Yahoo, which implements their > > version of single sign on (you don't have to log in to mail, then to > > games, then to ...). I browse around between the apps, and decide to log > > out. Should the effect of this logout be global? I would suggest that it > > should -- you don't want to be in an Internet cafe and log out of one > > Yahoo app, but forget that you haven't logged out of all the rest. > > All well and good, but it seems to me that the problem that is being > described here is that the sessions of each application have their own > distinct timers, rather than a global timer for the single-sign-on session. > True ... there is no such thing as a cross-application session defined in the servlet spec. > Using Yahoo as an example, and, say, a 15 minute timeout, it would a fair > expectation that if I log in to Yahoo, go read my mail, and then go and play > Yahoo Cribbage for 30 minutes, then I would expect at the end of my last > game to be able to pop back over to Yahoo Mail and still be authenticated. > > What is being described here sounds as if in this contrived example that the > Yahoo Mail will time out in 15 minutes because it wasn't accessed, even > though I was still "logged in" and active over on Yahoo Games. > > > In the servlet world, session timeout logs you out (if you're using form > > based login). Therefore, it should be (and is) treated the same as an > > explicit logout by the user. > > Of course. The difficulty here is that the actual application sessions > perhaps needs some kind of tie to the overall master single-sign on session, > and not timeout until the SSO session times out. > You're outside the bounds of the servlet spec when you talk about this, but nothing stops a container from providing something like it. > Regards, > > Will Hartung > ([EMAIL PROTECTED]) > Craig -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
