I'm using WSAD5.1.2, with LTPA, SSO and custom registry turned on. I use form-based login in the WAR file. All the timeout settings are by default. Now, if I access a protected url, get authenticated, keep the browser window open; then restart the WSAD test server, refresh the browser with the same url, I would be granted access right away! I always thought the correct behavior should be to redirect to form login page. And I'm very certain the rowser is not just showing me a stale cache (because server console indicates the custome registry's methods are called). I don't know what Servlet Spec says about it. So my questions are: 1) have you experienced similar problem before? 2) Is their a way to change WSAD's behavior so taht a server restart automatically invalidates all the previous sessions?
Let's remember, LTPA and SSO are not part of the server spec.
With an LTPA token, the token itself could be generated anywhere in the domain, by any server participating in the SSO domina. When that server starts up, it sees a cookie that indicates that the client has been authenticated by a server in the domain, so the client is trusted. The server doesn't know that it was itself that just validate the user, nor does it care.
If you've got ten servers in an SSO domain, and one server goes down, should everyone's LTPA token be invalidated? Should everyone who got their token from that machine that went down have to log in again? I think the answer should be no.
I think the program is working according to what I would expect. Let me add that this is purely from my theoretical knowledge of SSO LTPA and LDAP. If I sound sure of myself, it's purely pomposity in action.