I have a conceptual question wrt the Single Sign On behaviour. Let's assume there are two applications /app1 and /app2, and there is a SSO setup on them both. Now, user logs into the /app1 (which requires authentication) and /app2 (which uses SSO Cookie, no authentication then), and later on makes use of only one of them (say: /app1) for quite a long time, so that this period outlives the session expiry date of the unused application (/app2). Provided that both applications establish their own sessions the one created in the scope of constantly used application (/app1) wouldn't expire, while the second one definitely would.
Now the question: As both sessions are gathered into a higher-level SSO session, would it be against the specification if *all* standard sessions were aged (eg. by calling session.access()) on each request containing valid SSO cookie? I suggest that there should be a flag on the SSO Valve, that is org.apache.catalina.authenticator.SingleSignOn allowing users to specify the behaviour. If nobody objects, I could try to provide apropriate patch. cheers, /dd --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]