Although I've no real idea what an internal tomcat SessionEvent is, it
sounds like it's a bug. Give me the word and I'll enter it in bugzilla.
Adam
On 10/12/2003 01:57 AM Tim Funk wrote:
Hmm. I always thought that when using the SSO valve, logging out of one
webapp automatically logs you out
I am using session.invalidate() to try to cause the user to receive
another login request, using CMS form-based authentication.
I saw the same issue in bugzilla but for basic authentication:
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12147
where the tomcat developer/bugzilla person
Authentication information is somewhat stored in the session for form based
authentication. (I can't remember the specifics) So using session.invalidate
should log the user out. This works since the session id which is a cookie or
URL rewriting scheme is what the browser keys in on. By
I have just figured out that the SSO in JSESSIONIDSSO stands for
single-sign-on.
I have the following JSP:
remote user %=request.getRemoteUser() % in
session %= session.getId() %
%
session.invalidate();
%
and after doing a login, I saw I got JSESSIONID and JSESSIONIDSSO
cookies. I then go to a
Hmm. I always thought that when using the SSO valve, logging out of one
webapp automatically logs you out of all webapps.
The 5 code looks broken based on *very quick* inspection compared to 4.1
based on lines 304-308.
if ( event.getData() != null
logout.equals(
