Looking at SingleSignOn sessionEvent code it seems that if you invalidate a
session it does kill all the sessions.
Only if the session died from timeout do other sessions survive.
This is from TC5.0.25
// Was the session destroyed as the result of a timeout?
// If so, we'll just remove the expired session from the
// SSO. If the session was logged out, we'll log out
// of all session associated with the SSO.
if (System.currentTimeMillis() - session.getLastAccessedTime() >=
session.getMaxInactiveInterval() * 1000) {
removeSession(ssoId, session);
} else {
// The session was logged out.
// Deregister this single session id, invalidating
// associated sessions
deregister(ssoId);
}
-----Original Message-----
From: Mike Fowler [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 24, 2004 1:59 AM
To: Tomcat Users List
Subject: Re: SingleSignOn
Hi Thomas,
The reason you can't log off from the second app is that web apps can not
talk to one another. Additionally, with the SingleSignOn feature when you
leave a web app with out invalidating the session, it remains attached to
the SingleSignOn session. The SingleSignOn session does not expire until all
attached sessions are invalid.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
