on 05-13-2010 6:51 PM
hi experts
we have a c# application with RSA security as front end.
RSA sso is implemented on businessobjects and it is working.
But the issue is, if the user1 logons in application and creates a session in infoview.
But he didn't logout infoview. when another user2 logons in the application on same computer.
Businessobjects still keeps the old session.
There is no way to tell tomcat to uses the new session.
I can see in CMC, there is two session active (user1 & user2).
Is it possible to clear jsessionid session & cookies?
Thanks!
Prasath
Edited by: Prasath Mungundu on May 13, 2010 11:13 PM
The jsessionid is a HTTP Session token generated by the Java Web Application Server itself to manage HTTP Sessions - here Tomcat.
Trying to eliminate jsessionid isn't a secure way to do things.
It's SSO, so the session will remain live till the HTTP Session times out, if the user hasn't logged off explicitly.
Sincerely,
Ted Ueda
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ted
We are using RSA SSO and enterprise authentication, SSO works on initial login.
But when a user logs out, and logs back in to SSO without closing the browser, InfoView still holds the pervious session.
Is there a way to identify and get rid of tomcat session when new InfoView user comes in via SSO?
Is there some way to detect when the current user has changed, and remove the session accordingly.?
I have same question post in below thread.
Thanks!
Prasath
I have one more question. I the problematic application, the JSESSIONID-Parameter is included in the url-string. And that's why the application has the previous JESSESIONID/previous datas. Another Application don't have this problem, because there isn't the jsessionid-parameter inside the url-string.
So I know, that for these application were used different iViews. Or do you have an idea where I can define, that the jsessionid should not be part of the url?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
I think I have a similar problem. I have a Webdynro applikation inside a intranet. If the User login over the intranet a sso-ticket will be created (MYSAPSSO2). If he logout, the sso-ticket will be deleted, but the jsessionid is still active, if I don't close the browser. If I close the browser, there is no problem.
So do I have to delete the jsessionid in my application java-code? Or is it a problem with the Internet Explorer?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
85 | |
10 | |
9 | |
8 | |
6 | |
6 | |
6 | |
5 | |
3 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.