tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From java program <>
Subject Re: [Q] Session invalidation and authentication mechanism
Date Mon, 14 Aug 2000 10:57:31 GMT
Is it a good way of doing authentication? 

I make authentication with database for
userid/password, if in session some attribute is not
set. like "user.logged" and each entry point has to
check this before continue. Is it a good way of doing
In My case I don't have to invalidate complete session
but only that attribute.

offcourse I will assume that my application will run
under SSL etc., which still I have to check.

--- Luke Taylor <> wrote:
> Basically the question is how are the session and
> authentication data
> linked (or are they)?
> I've set up a web application which has various
> security constraints
> configured in the web.xml file and I use basic
> authentication to login.
> At a later stage I want to logout and I click on a
> link that gets a
> servlet to invalidate() the user session. The
> problem is that I can
> still access pages which are protected and the
> browser doesn't ask me
> to login again. I would have expected the security
> information to be
> linked to the session object, and indeed the user
> principal object is
> no longer there when I subsequently call
> getUserPrincipal() (during
> another logout attempt)...
> Anyone any ideas?
> Luke.
> -- 
>  Luke Taylor.
>  PGP Key ID: 0x57E9523C

Do You Yahoo!?
Yahoo! Mail  Free email you can access from anywhere!

View raw message