Well upon clicking "logout" the following occurs:
session.removeAttribute("User");
session.invalidate();
response.sendRedirect("EULA.jsp");
If I close the browser window, and reopen it without clicking the logout
button, I can still get back into my active session. How would I invalidate
the session upon closing the browser window?
On Mon, Oct 12, 2009 at 11:02 AM, Andre-John Mas <aj...@sympatico.ca> wrote:
>
> On 12-Oct-2009, at 10:51, Christopher Schultz wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Perter,
>>
>> On 10/12/2009 9:37 AM, Peter Crowther wrote:
>>
>>> 2009/10/12 Josh Gooding <josh.good...@gmail.com>:
>>>
>>>> To my knowledge the Single Sign on in Tomcat is a way for all of your
>>>> back
>>>> end applications in your VH to recognize that you have logged in to one
>>>> place, and all of the apps belonging to that VH will be logged into.
>>>>
>>>
>>> Correct.
>>>
>>> What I am trying to do is restrict the login from users to one single
>>>> session. (i.e. if you are logged in once, you cannot log in again
>>>> unless
>>>> your session expires or you log out.) Is this possible with what is
>>>> included with Tomcat or is this going to take some custom code?
>>>>
>>>
>>> You'll need custom code.
>>>
>>> Are you sure this is an appropriate requirement? In particular, how
>>> do you plan to handle (say) a browser or client crash that loses the
>>> in-memory session cookie?
>>>
>>
>> Also, if the client "loses" their session cookie, how will the OP
>> uniquely identify the client in order to apply this policy?
>>
>
> The only solution I can think of is a non-session cookie that the web
> application
> deals with itself. If it can't find it mapped to the users session-id in
> the application
> context, then the user is considered logged out. The catch is if the user
> opens up
> a new browser this will kill the existing session, so you would have to
> back this up
> with a dialogue warning the user that they are already logged in and
> logging in again
> will log out the other session.
>
> What is important is to balance the needs of single sign on and the
> security provided
> to the user of closing their browser, and thus ending their session.
>
> André
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
