tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marko Asplund <a...@kronodoc.fi>
Subject Re: Logout with basic autorization
Date Thu, 15 Nov 2001 20:50:03 GMT
On Wed, 14 Nov 2001, Craig R. McClanahan wrote:

> ...
> As far as I know, this is correct.  The problem is that when you are using
> BASIC authentication, the browser sends the credentials on every request,
> and I don't know of any way to tell it to stop doing so.

there's no way of reliably implementing logout with HTTP Basic
authentication. you could always "fake" a password mismatch on the server
side after logout but this would not change the fact that the browser
already knows the password. another possibility would be to change the
name of the authentication realm dynamically for the logged-out user. the
aim being that the browser wouldn't be able to associate the password for
the site anymore but browsers seem to associate passwords to URLs and
ignore the realm name.

the basic authentication scheme just wasn't designed with sessions in
mind.

-- 
	aspa


--
To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>


Mime
View raw message