2 Replies Latest reply on Aug 6, 2004 4:42 PM by sblanc

    beginner: SSO and invalidate session

    sblanc

      Hello,

      I have SingleSignOn setup on the web engine and I am trying to build a jsp that will force the user to re-authenticate when visited (LogOff menu).

      I did the following (with scriplet for now) in the welcome page:
      <%
      // creates a new session if does not exist
      HttpSession hsession = request.getSession(false);
      if (hsession.isNew())
      {
      System.out.println("**** creating a _NEW_ session ****");
      request.getSession();
      }
      else
      System.out.println("**** using _CURRENT_ session ****");
      %>

      and in the logoff.jsp:
      <%
      request.getSession().invalidate()
      %>

      the session is invalidated (I get a new token id for instance), yet authentification is not forced again: user can still access any page without authentificating (same behavior on MSIE and netscape).

      I am using BASIC authentification for the login-config. is there any specific servlet configuration required for this to work ?

      Thanks,

      Sebastien.