Help coderanch get a
new server
by contributing to the fundraiser
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Devaka Cooray
  • Liutauras Vilda
Sheriffs:
  • Jeanne Boyarsky
  • paul wheaton
  • Henry Wong
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Tim Moores
  • Carey Brown
  • Mikalai Zaikin
Bartenders:
  • Lou Hamers
  • Piet Souris
  • Frits Walraven

SSO using query string instead of cookie.

 
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Since I have had some problems getting cookies to work properly on my website and since I do not want to force my users to have to turn cookies "on", I am trying to use a query string instead of a cookie, as follows:

1. I set authentication.type=sso
2. I set sso.implementation=net.jforum.sso.mySSOAuthentication
3. I initiate Jforum by linking to
http://.../jforum/forum.page&module=forums&action=list&ID=123456

In net.jforum.sso.mySSOAuthentication's authenicateUser() and isSessionValid() methods, I use the following to get the value of ID:

String ID = request.getParameter("ID");

ID is a randomly generated session number in the application that initiates Jforum. I use it to get the user ID, password, etc. from my application's database and then invalidate it before initiating Jforum.

This works great, but I am having something that looks like caching problems. For example, when I log into my application and initiate Jforum as above, everything is OK. Then, without taking my browser down, I logout of my application and log back in as a different user. When I then initiate Jforum, the previous user is still logged into Jforum. My mySSOAuthenication's methods are not called by the second initiation of Jforum. In the real world, this may not be a big problem, because multiple users will not usually log in from the same PC, but the security hole exists.

1) If I get this to work, what holes do any of you see in it?

2) Any ideas about my potential caching problem.

Thanks,

Danny
[originally posted on jforum.net by dhhoyle]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The RemoteUserSSO.isSessionValid code has the logic your SSO code will need to keep this from happening.

Basically, it checks to see if the information on the request matches the information about the user in the jforum userSession object and does the right thing depending if they match or not (or is the anonymous user).

Your code should do the same sort of logic.
[originally posted on jforum.net by monroe]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Monroe,

I admit that I essentially copied/plagiarized parts of RemoteUserSSO, leaving out parts that I did not understand. I must now take your suggestion.

Thanks,

Danny
[originally posted on jforum.net by dhhoyle]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It now works like a charm.

Monroe, thanks again,

Danny

ps: For those with interest, the code that I left out was in the isSessionValid() method in RemoteUserSSO. The correct way for my application was to replace

String remoteUser = request.getRemoteUser();

with my code and leave the rest of the method in place.
[originally posted on jforum.net by dhhoyle]
 
reply
    Bookmark Topic Watch Topic
  • New Topic