Since I have had some problems getting cookies to work properly on my website and since I do not want to force my users to have to turn cookies "on", I am trying to use a query
string instead of a cookie, as follows:
1. I set authentication.type=sso
2. I set sso.implementation=net.jforum.sso.mySSOAuthentication
3. I initiate Jforum by linking to
http://.../jforum/forum.page&module=forums&action=list&ID=123456
In net.jforum.sso.mySSOAuthentication's authenicateUser() and isSessionValid() methods, I use the following to get the value of ID:
String ID = request.getParameter("ID");
ID is a randomly generated session number in the application that initiates Jforum. I use it to get the user ID, password, etc. from my application's database and then invalidate it before initiating Jforum.
This works great, but I am having something that looks like caching problems. For example, when I log into my application and initiate Jforum as above, everything is OK. Then, without taking my browser down, I logout of my application and log back in as a different user. When I then initiate Jforum, the previous user is still logged into Jforum. My mySSOAuthenication's methods are not called by the second initiation of Jforum. In the real world, this may not be a big problem, because multiple users will not usually log in from the same PC, but the security hole exists.
1) If I get this to work, what holes do any of you see in it?
2) Any ideas about my potential caching problem.
Thanks,
Danny
[originally posted on jforum.net by dhhoyle]