httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sheldon Ross <sr...@simmgene.com>
Subject Re: Clearing login details from browser
Date Fri, 19 Dec 2008 18:57:17 GMT
IMHO The JBOSS application should probably be handling the logins, if
this application is very sophisticated. 
How are you handling sessions?

On Fri, 2008-12-19 at 13:06 +0000, Tom Evans wrote:
> On Fri, 2008-12-19 at 12:14 +0000, Kirk, Laurence wrote:
> > I have  apache  acting as a proxy and providing authentication to a
> > JBoss application server . I time out sessions in JBoss  but I think
> > the browser is storing the login details as the user can carry on
> > without having to log in again. 
> > 
> > Is there a way to force the browser to delete login details , or for
> > apache to force reauthentication when there is a new session ?
> > 
> > Has anyone else come across this situation ?
> > 
> > Thanks, 
> > Laurence
> > 
> > This e-mail is confidential and is for the addressee only. Please
> > refer to www.jpmorgancazenove.com/disclaimers/jpmorgancazenove.htm for
> > important disclaimers and the firm's regulatory position.
> 
> If you mean "is there a way to clear basic auth settings from the
> browser", then yes, you can send a 403 response. Once a browser receives
> a 403, it forgets any authorization it knew from the same realm, and
> prompts the user for new credentials. If it receives a 2XX or 3XX in
> response, the browser then remembers those credentials and sends them
> along with all other requests to the same server, until it receives a
> 403 response.
> 
> If you mean "can I make the browser forget 'remembered passwords'", then
> no, you cant do anything about that. You could be logging them out, they
> try to access something, apache prompts for basic auth, and the user's
> browser just resupplies the saved information. That is perfectly valid,
> and beyond your control.
> 
> Cheers
> 
> Tom
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message