Since I have had some problems getting cookies to work properly on my website and since I do not want to force my users to have to turn cookies "on", I am trying to use a query string instead of a cookie, as follows:
1. I set authentication.type=sso
2. I set sso.implementation=net.jforum.sso.mySSOAuthentication
3. I initiate Jforum by linking to
In net.jforum.sso.mySSOAuthentication's authenicateUser() and isSessionValid() methods, I use the following to get the value of ID:
String ID = request.getParameter("ID");
ID is a randomly generated session number in the application that initiates Jforum. I use it to get the user ID, password, etc. from my application's database and then invalidate it before initiating Jforum.
This works great, but I am having something that looks like caching problems. For example, when I log into my application and initiate Jforum as above, everything is OK. Then, without taking my browser down, I logout of my application and log back in as a different user. When I then initiate Jforum, the previous user is still logged into Jforum. My mySSOAuthenication's methods are not called by the second initiation of Jforum. In the real world, this may not be a big problem, because multiple users will not usually log in from the same PC, but the security hole exists.
1) If I get this to work, what holes do any of you see in it?
2) Any ideas about my potential caching problem.
Danny [originally posted on jforum.net by dhhoyle]
The RemoteUserSSO.isSessionValid code has the logic your SSO code will need to keep this from happening.
Basically, it checks to see if the information on the request matches the information about the user in the jforum userSession object and does the right thing depending if they match or not (or is the anonymous user).
Your code should do the same sort of logic. [originally posted on jforum.net by monroe]