Supporting Single sign-on changing domain of JSESSIONID session cookie domain on Jetty

Question

I'm trying to support single sign-on with JETTY and we have 2 subdomains running webservers that will support single sign-on through Jetty's SSO support.

account.test.com app.test.com

We have a SSOSession cookie that is set to *.test.com, but to support sign-off I need to ensure that my Jetty server running at app.test.com has it's JSESSIONID cookie reset.

I'm currently using the Jetty JAAS FormAuthenticator and overriding SSORealm to support validation of the SSOSession cookie when the FormAuthenticator is called.

I want to be able to have the account.test.com allow users to sign in there which will cause it to invalidate the JSESSIONID cookie being used at app.test.com.

One solution I could do that would probably be more correct is to detect a change in teh SSOSession cookie and invalidate the JSESSIONID on my server.

Answer 1

I do not know anything about Jetty or how JSESSIONIDs work but it sounds like you want to tie the validity of JSESSIONID to a specific SSOSession cookie.

One possibility - when creating a new session on app.test.com, apart from new JSESSIONID, set a new cookie say SSOSig = MD5(JSESSIONID + SSOSessionCookie + secret) in domain app.test.com.

When user interacts with app.test.com, the server will receive JSESSIONID, SSOSig, and SSOSessionID. If SSOSessionID changed because of sign in on account.test.com, then you will receive JSESSIONID, SSOSig, and SSOSessionID'. Now your attempt to verify SSOSig will fail since MD5(JSESSIONID + SSOSessioID' + secret) != SSOSig and at this point you can invalidate JSESSIONID.