Re: Security Issue with built-in form-based login

From: Tiberiu Fustos <tiberiu.fustos@xxx.com>
Date: Thu Apr 18 2002 - 05:01:12 PDT

Hi, Alan

I am using it exactly as you have mentioned. This means, at the end of the
login.jsp, I invalidate the session if there was a user already logged in
when hitting the page. I do this only after the entire page is already
rendered, so I don't loose the initial URI that the user tried to access.

What Martin probably suggested is that if you have multiple web-apps and
the authenticator is congfigured at host level, just invalidating the
session in one webapp does not log the user out. In that case, I think that
something like your code is necessary.

It would be good to know if that did the trick. BTW: I do have a custom
authenticator, but I still invalidate the session in the login page...it
works for now, including with Resin 2.1.0.

Cheers,
Tibi

----- Original Message -----
From: "Alan Wright" <alan.wright@xxx.com>
To: <resin-interest@xxx.com>
Sent: Thursday, April 18, 2002 12:47 PM
Subject: Re: Security Issue with built-in form-based login

> Tibi
>
> I though you had identified the cause of my problem as my security
> configuration was at the server level in resin.conf. However I have now
> tried the security configuration at the server, host, and web-app level
> in resin.conf and the same behaviour occurs after restart of resin.
>
> I can see how it is more of an application than a resin problem - I will
> try your suggestion of killing the session in the login.jsp page. Longer
> term I will probably develop a custom authenticator.
>
> Thanks
>
> Alan Wright
>
> Tiberiu Fustos wrote:
>
> >Hi,
> >
> >I was wondering if my understanding is correct: if your authenticator is
> >configured at web-app level, the user is logged out when the session with
> >that specific web-app is killed? However, if the authenticator is
configured
> >at host level, then you might still be logged in in other sessions with
> >other web-apps. That's the reason why killing the session is not enough
to
> >completely log out in certain configurations.
> >
>
>
>
Received on Thu 18 Apr 2002 05:01:12 -0700

This archive was generated by hypermail 2.1.8 : Thu Sep 28 2006 - 20:17:01 PDT