This week's book giveaway is in the OCPJP forum.
We're giving away four copies of OCA/OCP Java SE 7 Programmer I & II Study Guide and have Kathy Sierra & Bert Bates on-line!
See this thread for details.
The moose likes Servlets and the fly likes Signle sign on without using Session Cookie Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCA/OCP Java SE 7 Programmer I & II Study Guide this week in the OCPJP forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Signle sign on without using Session Cookie " Watch "Signle sign on without using Session Cookie " New topic
Author

Signle sign on without using Session Cookie

Rishi Singh
Ranch Hand

Joined: Dec 09, 2000
Posts: 321
Hi All,
I have implemented a single sign on solution for intranet by making use
of
session cookie.
Is there any way I can acheive single sign on without using Session
cookie?
Theoritically, I think it is possible if the Web Server supports URL
encoding, then I suppose I can create the session on another server and
return to the browser client the encoded url. I tried this but it
doesn't
seem to work. I think I am missing something.
any help/references is appreciated.
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

All that you can get hold of is the session ID, and that is what you can explicitly pass back and forwards.
The session data is stored on the server. Therefore you can pass the session ID to another server, but it won't mean anything to that server since the session data doesn't exist.
Even when you are dealing with application contexts on the same server you are not able to share sessions. (there are a couple of ways around this, but it is generally application specific)
Dave
Rishi Singh
Ranch Hand

Joined: Dec 09, 2000
Posts: 321
Can HttpSessionActivationListener be used in this scenario while migrating session from one server to another
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

I'm pretty sure not, since all the session specific stuff only happens in a single web app. You can keep passing the session ID to another web app, but it won't know what to do with it.
Rishi Singh
Ranch Hand

Joined: Dec 09, 2000
Posts: 321
Is it possible to maintain a Globals properties file, which can cater to all the web application on the server and by using HttpSessionActivation Listener, I migrate the session and put it in the globals which will act as a context for all the web applications on the server.
Val Pecaoco
Ranch Hand

Joined: Dec 05, 2001
Posts: 156
Hi Rishi,
Maybe you can try the following:
1) If your app is hosted on a single server, you can store the data in the application context.
2) If what you have is a server farm, you can store the data on a backend database, so that every server can access/update the same data.
For 2), here are some links which you may find useful:
Taming the Stateless Beast: Managing Session State Across Servers on a Web Farm
Maintaining Session State on Your Web Farm
I know they're not at all related to Java (not even a drop of blood), but I think it illustrates the concepts very well.
Ex Animo Java!
-- Val
[ May 29, 2002: Message edited by: Val Pecaoco ]

"Knowledge is power, but enthusiasm is the key." -- Lavern Barn
Manjunath Subramanian
Ranch Hand

Joined: Jul 18, 2001
Posts: 236
Even though i do not have any working experience on this, but i would suggest you take a look at
SAML(Security Assertions Markup language) at
http://java.sun.com/features/2002/05/single-signon.html.
SAML enables open and interoperable designs for web-based single sign-on service functionality.
HTH,
Manjunath
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Signle sign on without using Session Cookie