JBoss 5.1/JBossweb-2.1.12 Invalidating session does not invalidate all SSO session

Latest response

We are using the unclustered SSO valve. Invalidating a session does not invalidate all other session tied to the SSO cookie. The problem is intermittent. Upgrading to a newer version of JBoss is not an option, so I am looking for a configuration or patch solution. I am not entirely sure yet, but I think that when it does work the org.apache.catalina.authenticator.SingleSignOn.deregister method is being invoked and when it fails, it is not. So, perhaps it is a problem with HttpSessionListeners not firing correctly, or in the wrong order.

Responses

Hi

Raise a case against this issue. We have a number of articles that cover this issue in EAP 6.x but I think you should discuss this with one of our support engineers in regards to EAP 5.x

Thanks Mustafa

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.