tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bill_Fellows/MO/americancent...@americancentury.com
Subject Re: formbased authentication: logout ?
Date Wed, 21 Feb 2001 14:32:04 GMT


I'm sure others are more knowledgeable, but from what I've been able to observe
(snoop servlet is wonderful), a session must have been created before
authentication.  I'm basing all of my stuff off of my b*stardization of
SimpleRealm, BTW.  Session name is JSESSIONID.  A principal user is defined and
the username and password are stored in the session variable (j_username &
j_password.) upon successful authentication.  A tomcat.auth.originalLocation is
defined if they attempted to access a specific secure part before being
authenticated.  If so, after they authenticate it takes them to that particular
page.

To logout, I have my users hit a servlet (could be a jsp) that goes through all
the cookies and expires them.  Since tomcat can only expire the cookies it
created, you don't have to worry about killing someone else's cookie.  Looking
at my code now, I can't remember if expiring the session takes care of removing
the cookies or not.  At any rate, I think I had trouble getting the
session.invalidate() to work in a jsp (since they create sessions automagically)
so maybe that's why I went to the jsp.  Maybe the invalidate is required to drop
the principal user...  At any rate, I'm going to re-evaluate my code but this
does work.  Enjoy.

/bill

    public void doGet(HttpServletRequest request, HttpServletResponse response)
    throws IOException, ServletException
    {
      if ( request.isRequestedSessionIdValid() )
      {
          HttpSession session = request.getSession(false);
          session.invalidate();
      }
      {
         Cookie BagofGingerSnaps[]  = request.getCookies();
         for (int i = 0; i < BagofGingerSnaps.length ; i++)
         {
            BagofGingerSnaps[i].setMaxAge(0);  //expire all cookies in 0 seconds
            response.addCookie(BagofGingerSnaps[i]);  //replace old cookies with
the new
         }
      }
      response.sendRedirect(stLogoutDestination);

    }//closes doGet




paul marshal <paul.marshall@jambit.com> on 02/21/2001 09:10:08 AM



Please respond to tomcat-user@jakarta.apache.org

To:   tomcat-list <tomcat-user@jakarta.apache.org>
cc:    (bcc: Bill Fellows/MO/americancentury)
Subject:  formbased authentication: logout ?



How do I create a possibility for my users to logout.
Is there something in the HttpSession that I need to delete ?
Or how does it all work ?

Paul

--
Paul Marshall
paul.marshall@jambit.com
089/26019-609

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, email: tomcat-user-help@jakarta.apache.org









Mime
View raw message