I have tried applying the patch, and I found three problems with it. First, its removal of a session from the SingleSignOnEntry object causes an IndexOutOfBounds exception. Second, the method for determining whether the user explicitly logged out or whether a session timed out doesn't scale one of the numbers correctly (i.e. comparing millisecond values to seconds). I have fixed the patch, but I don't have a diff of it yet (I'm new to helping with this project). Finally, the patch doesn't synchronize on 'reverse' when removing an entry from it.
The only other issue that I have with this patch is that if someone explicitly logged out at the same instant that the session timed out, the user may not be logged out of all of the applications. It is an unlikely scenario, but still a dangerous one. This is why it is better for the session object, when firing the destroyed event, to indicate whether it was destroyed by timeout or explicit invalidation. Luke -----Original Message----- From: Brian Stansberry [mailto:[EMAIL PROTECTED] Sent: Monday, November 24, 2003 10:43 AM To: Tomcat Developers List Subject: Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenti cator SingleSignOnEntry.java AuthenticatorBase.java BasicAuthenticator.java DigestAuthenticator.java FormAuthenticator.java NonLoginAuthenticator.java SSLAuthentic At 06:15 PM 11/24/2003 +0100, you wrote: >Tim Funk wrote: > >>This means that the "logout" check is now back in, the revert from 1.6 -> 1.7 for bug http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23764 >>Diff link: >>http://cvs.apache.org/viewcvs.cgi/jakarta-tomcat-catalina/catalina/src /share/org/apache/catalina/authenticator/SingleSignOn.java.diff?r1=1.6&r 2=1.7&diff_format=h >>Just an FYI, at this point, I don't know if that is good, bad, or neither. > >That's true. >Maybe Brian can explain why he removed this (otherwise, I'll reapply the fix). No, my mistake. It didn't intend to change anything related to session invalidation and didn't notice it in the diff. :( Since the "logout" feature no longer is there, this means bug 9077 still applies to TC5. Is anyone aware of any issue with the proposed patch attached to that bug? Brian Stansberry WAN Concepts, Inc. www.wanconcepts.com Tel: (510) 894-0114 x 116 Fax: (510) 797-3005 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
