tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bob Herrmann <...@jadn.com>
Subject [5] logout() and Basic Authentication
Date Wed, 04 Sep 2002 15:17:51 GMT

Hi, The Servlet 2.4 spec includes HttpSession.logout(). 

My question is, how should Tomcat handle a logout() when the webapp is
using "Basic Authentication" ?

Basic Authentication is described in http://www.ietf.org/rfc/rfc2617.txt
Chapter 2.

My assertion is: Once a remote user has logged in once using Basic
Authentication, there is no way to log them out. (In most cases, they
need to close their browser to effect a logout.)  When receiving a
request, Tomcat cannot tell if a user was asked to login or not. A page
load and a login are identical.

Some have suggested attempting "tricking" the remote user into relogging
in by re-challenging the user.  The problem with this approach is that
the protocol doesn't allow us to differentiate between a request that is
coming from a "newly challenged" client or "challenged previously"
client.  

Some have suggested sending a cookie along with the challenge and using
them together to authenticate the re-login.  This might work.  It 
depends on whether the browser accepts the cookie right away or not.  If
the cookie is accepted immediately by the browser and the user ignores
the login dialog (or dismisses it) the new cookie could be set. This
would put us back at being unable to identify if a request is a
"relogin" or a "page load."

My current plan is to;

1. verify that the "new coookie" approach doesn't work
2. dig up some history on why "Basic Authentication" is so broken (early
protocol addition?)
3. suggest a language change to the Servlet 2.4 spec. something like
adding to the logout() section, "If the container is authenticating
using Basic Authentication (thus the authentication state is stored on
the browser), logout() must only invalidate the user's session (or if
using SingleSignOn, all the users sessions.) "

Cheers,
-bob




--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message