tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Nicholson" <...@email.unc.edu>
Subject Re: Invalidate Session Problem
Date Mon, 16 Dec 2002 18:27:48 GMT
>From what I understand, the authorization header using BASIC authentication
has a terrible way of hanging around in most (if not all) browsers.  When
you access the protected resource, and the browser receives the
'authentication needed' header, the browser returns whatever it has stored
in its memory (i.e., your last login).  I haven't heard of any sure-fire
ways of stopping that, other than to restart the browser.

This isn't, however, quite the same thing as invalidating a session.
Invalidating a session simply means that the container (tomcat) is going to
have to create a new session whenever you use request.getSession() (unless
you use request.getSession(false) which will probably throw an exception) or
browse to a jsp that hasn't been told not to use sessions.  And the new
session will have nothing in it that was put in it before the
session.invalidate() call.

I've never really looked at form based authentication;  does it possibly
store some sort of user credential in the session, which is therefore
removed when the session is invalidated (effectively removed, anyhow, as I
suppose it's still sitting in that invalidated session until garbage
collection...), forcing another login?  But basic authentication, at least
as I understand it, doesn't store it that way.  It gets stored in a header,
and in the browser.

Mike
----- Original Message -----
From: <afterz@zipmail.com>
To: <tomcat-user@jakarta.apache.org>
Sent: Monday, December 16, 2002 12:58 PM
Subject: Invalidate Session Problem


> Hello,
>
> I want to thanks the help for the other problem and ask
>  another thing.
> It is about invalidating a session.
>
> While I was using the FORM to log into the apps I was able
>  to invalidate my session, but now I am using the BASIC and
>  it is not working.
>
> I read in some places that it may be a bug, is it and how
>  can I invalidate the session with other way?
>
> Thanks.
> Ricardo Costa.
> ________________________________________________
> Don't E-Mail, ZipMail! http://www.zipmail.com/
>
> --
> To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
<mailto:tomcat-user-help@jakarta.apache.org>
>
>


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message