Bert,
You're quite right and I now see why my SSO was never getting scrubbed:
session.setMaxInactiveInterval(1); session.invalidate();
The result of this was that when the check you pointed out was performed it was always true, therefore removeSession(ssoId, session); was always getting called rather than deregister(ssoId);.
Thanks for helping me find this out as I now no longer need to use this customisation!
-Mike Fowler "I could be a genius if I just put my mind to it, and I, I could do anything, if only I could get 'round to it"
Summers, Bert W. wrote:
Looking at SingleSignOn sessionEvent code it seems that if you invalidate a session it does kill all the sessions.
Only if the session died from timeout do other sessions survive. This is from TC5.0.25
// Was the session destroyed as the result of a timeout?
// If so, we'll just remove the expired session from the
// SSO. If the session was logged out, we'll log out
// of all session associated with the SSO.
if (System.currentTimeMillis() - session.getLastAccessedTime() >=
session.getMaxInactiveInterval() * 1000) {
removeSession(ssoId, session);
} else {
// The session was logged out.
// Deregister this single session id, invalidating // associated sessions
deregister(ssoId);
}
[snip]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
