Well upon clicking "logout" the following occurs: session.removeAttribute("User"); session.invalidate(); response.sendRedirect("EULA.jsp");
If I close the browser window, and reopen it without clicking the logout button, I can still get back into my active session. How would I invalidate the session upon closing the browser window? On Mon, Oct 12, 2009 at 11:02 AM, Andre-John Mas <aj...@sympatico.ca> wrote: > > On 12-Oct-2009, at 10:51, Christopher Schultz wrote: > > -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Perter, >> >> On 10/12/2009 9:37 AM, Peter Crowther wrote: >> >>> 2009/10/12 Josh Gooding <josh.good...@gmail.com>: >>> >>>> To my knowledge the Single Sign on in Tomcat is a way for all of your >>>> back >>>> end applications in your VH to recognize that you have logged in to one >>>> place, and all of the apps belonging to that VH will be logged into. >>>> >>> >>> Correct. >>> >>> What I am trying to do is restrict the login from users to one single >>>> session. (i.e. if you are logged in once, you cannot log in again >>>> unless >>>> your session expires or you log out.) Is this possible with what is >>>> included with Tomcat or is this going to take some custom code? >>>> >>> >>> You'll need custom code. >>> >>> Are you sure this is an appropriate requirement? In particular, how >>> do you plan to handle (say) a browser or client crash that loses the >>> in-memory session cookie? >>> >> >> Also, if the client "loses" their session cookie, how will the OP >> uniquely identify the client in order to apply this policy? >> > > The only solution I can think of is a non-session cookie that the web > application > deals with itself. If it can't find it mapped to the users session-id in > the application > context, then the user is considered logged out. The catch is if the user > opens up > a new browser this will kill the existing session, so you would have to > back this up > with a dialogue warning the user that they are already logged in and > logging in again > will log out the other session. > > What is important is to balance the needs of single sign on and the > security provided > to the user of closing their browser, and thus ending their session. > > André > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >