Hi Jan,
At 11:02 PM 9/20/2004 +0000, you wrote:
luehe 2004/09/16 11:18:41
Modified: catalina/src/share/org/apache/catalina/authenticator SingleSignOn.java Log: - Removed deregister(String ssoid), because it is no longer needed (used to be called when session was logged out, which is no longer supported)
I'm not sure what you meant here by "no longer supported." Do you mean the cross-webapp signout feature that deregister(String ssoid) provided, or has there been some more fundamental change in TC's handling of HttpSession.invalidate()?
I was referring to the removal of javax.servlet.http.HttpSession.logout(),
which had been added temporarily to Servlet 2.4 and was later removed
before the spec went final. See this log entry in the history of
javax.servlet.http.HttpSession:
revision 1.3 date: 2003/04/07 21:27:36; author: jfarcand; state: Exp; lines: +0 -15 As required by the upcoming Servlet spec 2.4 PFD 3, remove the logout() method.
This method was the only method that generated a SessionEvent of type SESSION_DESTROYED_EVENT with event data equal to "logout", which used to invalidate all remaining sessions (if any) associated with the SingleSignOn entry.
The code in sessionEvent() that checked the session's last accessed time was intended as a workaround to try to discriminate timeouts from intentional logouts after the logout() method was removed from the spec. It was applied as a fix to bug 9077, which complained about the SSO valve not invalidating related sessions. The CVS logs for SingleSignOn.java revs 1.7 and 1.11 touch on this and there was also some discussion on the dev list last Nov 24. I'm curious as to why this is no longer supported.
OK, my bad. I've restored the previous version. Maybe SessionEvent.getData() could have differentiated between session
expiration and session invalidation, so we would not have to determine
the cause of the SESSION_DESTROYED_EVENT by comparing
getLastAccessedTime() and getMaxInactiveInterval()?
In any case, as a result of this, I am going to restore this bullet in the Single Sign-On documentation, after removing the part marked by
[REMOVE ...]:
"As soon as the user logs out of one web application (for example, by invalidating [REMOVE: or timing out] the corresponding session if form based login is used), the user's sessions in all web applications will be invalidated. Any subsequent attempt to access a protected resource in any application will require the user to authenticate himself or herself again."
Thanks!
Jan
Could a config parameter be added to the valve to allow this behavior?
_________________________________________________________________
STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
