Will this be supported in the future releases of Tomcat
Craig R. McClanahan wrote:
On Tue, 28 Jan 2003, Will Hartung wrote:
Date: Tue, 28 Jan 2003 13:32:46 -0800
From: Will Hartung <[EMAIL PROTECTED]>
Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
To: Tomcat Users List <[EMAIL PROTECTED]>
Subject: Re: Doubt in Single Sign On !!!
From: "Craig R. McClanahan" <[EMAIL PROTECTED]>
Sent: Tuesday, January 28, 2003 1:04 PM
Subject: Re: Doubt in Single Sign On !!!
The reason for this design is security.
Consider a portal-type application like My Yahoo, which implements their
version of single sign on (you don't have to log in to mail, then to
games, then to ...). I browse around between the apps, and decide to log
out. Should the effect of this logout be global? I would suggest that it
should -- you don't want to be in an Internet cafe and log out of one
Yahoo app, but forget that you haven't logged out of all the rest.
All well and good, but it seems to me that the problem that is being
described here is that the sessions of each application have their own
distinct timers, rather than a global timer for the single-sign-on session.
True ... there is no such thing as a cross-application session defined in
the servlet spec.
Using Yahoo as an example, and, say, a 15 minute timeout, it would a fair
expectation that if I log in to Yahoo, go read my mail, and then go and play
Yahoo Cribbage for 30 minutes, then I would expect at the end of my last
game to be able to pop back over to Yahoo Mail and still be authenticated.
What is being described here sounds as if in this contrived example that the
Yahoo Mail will time out in 15 minutes because it wasn't accessed, even
though I was still "logged in" and active over on Yahoo Games.
In the servlet world, session timeout logs you out (if you're using form
based login). Therefore, it should be (and is) treated the same as an
explicit logout by the user.
Of course. The difficulty here is that the actual application sessions
perhaps needs some kind of tie to the overall master single-sign on session,
and not timeout until the SSO session times out.
You're outside the bounds of the servlet spec when you talk about this,
but nothing stops a container from providing something like it.
Regards,
Will Hartung
([EMAIL PROTECTED])
Craig
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
