Tomcat not invalidating sessions
Valve Base; /** * A Valve that supports a "single sign on" user experience, * where the security identity of a user who successfully authenticates to one * web application is propogated to other web applications in the same * security domain.Hi All, I'm trying to locate any docs on how to administratively kick a user off the Id P, but am not getting much luck. Is there a way to selectively invalidate that user's (really the phisher's) session on the Id P without also invalidating all the rest of the Id P's sessions?The session-id can be "fixated" (by predicting the session id), but the nonce is independent of the cookie.The attacker would have to predict not only the session id (which can be done by tricking the victim into using a chosen session id) but also the nonce generated by the application, which should be extremely difficult. The container has no "logout" mechanism, the application must implement it -- usually by invalidating the session.Invalidating the session removes that session from the list of valid sessions.
Session id reuse is in fact not a big deal conceptually.Except you don't want to use an MRU queue and intentionally re-use session ids in the near future, because... If I get session id abcd1234 and then log out, and Tomcat implements a "session id re-use" policy, then someone in the very near future will end up using the session id abcd1234.Knowing a user's session id is equivalent to being logged-in as that user (in the absence of any other authentication mechanism, of course), so I simply have to wait a few minutes and then try to use session abcd1234 again.I use this for some other Java apps and find it very useful.Developing something like that for the Id P sessions ought to be pretty easy, could even just be a couple of fairly simple JSP's.