I have a conceptual question wrt the Single Sign On behaviour.

Let's assume there are two applications /app1 and /app2, and there is a SSO 
setup on them both. Now, user logs into the /app1 (which requires 
authentication) and /app2 (which uses SSO Cookie, no authentication then), 
and later on makes use of only one of them (say: /app1) for quite a long 
time, so that this period outlives the session expiry date of the unused 
application (/app2). Provided that both applications establish their own 
sessions the one created in the scope of constantly used application 
(/app1) wouldn't expire, while the second one definitely would. 

Now the question: As both sessions are gathered into a higher-level SSO 
session, would it be against the specification if *all* standard sessions 
were aged (eg. by calling session.access()) on each request containing 
valid SSO cookie? I suggest that there should be a flag on the SSO Valve, 
that is org.apache.catalina.authenticator.SingleSignOn allowing users to 
specify the behaviour. If nobody objects, I could try to provide apropriate 


To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to