I have the following JSP:
remote user <%=request.getRemoteUser() %> in session <%= session.getId() %> <% session.invalidate(); %>
and after doing a login, I saw I got JSESSIONID and JSESSIONIDSSO cookies. I then go to a second site on my tomcat and get a second JSESSIONID without having to do a login coz of SSO.
Now going to this page which has the stuff above, and refreshing over and over always showed the following:
remote user adam in session EB2543D909D52551EA58C77E963CDD17 remote user adam in session EA33F35CCB3D1205A88226029C65939C remote user adam in session 8814C0365D3F0BDD97B1DE9B7EAECD17 remote user adam in session 1B7F0424190985F24A294EA2344888C5
I see the JSESSIONIDSSO cookie is keeping my remoteUser info active. This shouldn't be the case I'm sure. If I delete the SSO cookie in mozilla, I get a login request on my next request.
Also if I only login to one site, even though I get the SSO cookie, when I invalidate the session, I immediately get a login request. Strange.
This is not correct behaviour for tomcat, is it?
Adam
On 10/11/2003 06:04 PM Tim Funk wrote:
Authentication information is somewhat stored in the session for form based authentication. (I can't remember the specifics) So using session.invalidate should log the user out. This works since the session id which is a cookie or URL rewriting scheme is what the browser keys in on. By invalidating that id on the server, the browser is now sending an invalid credential and thus logged out.
In BASIC authentication, the credentials are stored in the web browser and sent when/if requested. So the only way to get rid of those stored credentials is by closing the web browser.
[Of course, when the web server is restarted or web app restarted - I can't recall what happens to the authentication information. ]
-Tim
Adam Hardy wrote:
I am using session.invalidate() to try to cause the user to receive another login request, using CMS form-based authentication.
I saw the same issue in bugzilla but for basic authentication:
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12147
where the tomcat developer/bugzilla person resolved the issue saying that CMS basic authentication cannot be manipulated in this way since the browser sends the login info with every request, requiring the user to close the browser before seeing another login request.
Is this the same for form-based authentication?
I thought that in tomcat4 I was getting new login request for the users just by invalidating their sessions. Am I deluding myself?
-- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
