On 12-Oct-2009, at 10:51, Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Perter,
On 10/12/2009 9:37 AM, Peter Crowther wrote:
2009/10/12 Josh Gooding <josh.good...@gmail.com>:
To my knowledge the Single Sign on in Tomcat is a way for all of
your back
end applications in your VH to recognize that you have logged in
to one
place, and all of the apps belonging to that VH will be logged into.
Correct.
What I am trying to do is restrict the login from users to one
single
session. (i.e. if you are logged in once, you cannot log in again
unless
your session expires or you log out.) Is this possible with what is
included with Tomcat or is this going to take some custom code?
You'll need custom code.
Are you sure this is an appropriate requirement? In particular, how
do you plan to handle (say) a browser or client crash that loses the
in-memory session cookie?
Also, if the client "loses" their session cookie, how will the OP
uniquely identify the client in order to apply this policy?
The only solution I can think of is a non-session cookie that the web
application
deals with itself. If it can't find it mapped to the users session-id
in the application
context, then the user is considered logged out. The catch is if the
user opens up
a new browser this will kill the existing session, so you would have
to back this up
with a dialogue warning the user that they are already logged in and
logging in again
will log out the other session.
What is important is to balance the needs of single sign on and the
security provided
to the user of closing their browser, and thus ending their session.
André
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
