tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Patrick Luby <patrick.l...@sun.com>
Subject Re: [5] Session.logout()
Date Fri, 30 Aug 2002 04:51:57 GMT
Bob,

You are correct that browsers keep passing the user/pass with each 
request. As for getting the browser to rechallenge, that is very tricky 
and would be hacky at best.

I would expect that when Basic authentication is used and the last 
request caused Session.logout() to called, the next request (which will 
contain a valid user/pass), will effectively log the user in.

Trying to make Basic authentication act exactly like FORM authentication 
is probably not realistic as the display of user/pass input screen is 
browser dependent. Effectively, the user is silently logging back in 
with the next visit. I believe that this still complies with the spec. I 
suspect that the real problem may be that the bug submitter's 
interpretation of the spec may be a bit inaccurate.

Patrick

Bob Herrmann wrote:
> The JSP spec 2.4 gives us Session.logout(), what do we do when using
> Basic authentication?  Once challenged, the web browser keeps passing
> the user/pass (right?) so any ideas about how to get the browser to
> re-challenge the end user? (change the domain?)
> 
> 
> Cheers,
> -bob
> 
> 
> --
> To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>

-- 
________________________________________________________________
Patrick Luby                     Email: patrick.luby@sun.com
Sun Microsystems                         Phone: 408-276-7471
901 San Antonio Road, USCA14-303
Palo Alto, CA 94303-4900
________________________________________________________________


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message