tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "G. Wade Johnson" <wade.john...@abbnm.com>
Subject Re: logout and login again
Date Fri, 16 May 2003 14:00:28 GMT
Almost... From RFC 2617,

   A client SHOULD assume that all paths at or deeper than the depth of
   the last symbolic element in the path field of the Request-URI also
   are within the protection space specified by the Basic realm value of
   the current challenge. A client MAY preemptively send the
   corresponding Authorization header with requests for resources in
   that space without receipt of another challenge from the server.

So the browser may send the userid and password each time (if the
request is deeper in the tree), but it's not required to.

In other words, if you don't want the browser to do this...it will,
and if you rely on the browser to do this...a browser somewhere won't.
<grin/>

G. Wade


> "Mayne, Peter" wrote:
> 
> Not quite. When basic authentication is used, the browser sends the
> username/password with every request. Invalidating the session will
> not cause the server to rerequest the authentication, because the
> browser sends it anyway.
> 
> Obviously, invalidating the session at the server will have no effect,
> because authentication happens without user intervention on every
> request subsequent to the initial login.
> 
> There is no way to stop the browser sending the username/password with
> basic authentication, so stopping and starting it is the only thing to
> do.
> 
> PJDM
> --
> Peter Mayne
> Technology Consultant
> Spherion Technology Solutions
> Level 1, 243 Northbourne Avenue, Lyneham, ACT, 2602
> T: 61 2 62689727  F: 61 2 62689777
> 
> > -----Original Message-----
> > From: G. Wade Johnson [mailto:wade.johnson@abbnm.com]
> > Sent: Friday, 16 May 2003 12:47 AM
> > To: Tomcat Users List
> > Subject: Re: logout and login again
> >
> >
> > One surprise with the BASIC authentication is that the browser
> retains
> > the userid and password you enter until it is restarted.
> >
> > When you invalidate the session, your server will rerequest the
> basic
> > authentication from the browser. The browser finds that it already
> has
> > a userid and password for this server/realm combination and sends it
> 
> > without bothering the end user.
> >
> > G. Wade
> >
> > Werner van Mook wrote:
> > >
> > > Hi,
> > >
> > > I'm new to this list so forgive me if this questions has been
> asked
> > > before.
> > > (although I couldn't find it in the archives).
> > >
> > > I have a web app for which a user has to log in with a name and
> > > password.
> > > I give the users a way to logout by invalidating the
> > current session.
> > >
> > > Now it should be possible to go back to the page where you
> > have to log
> > > in and ask for the name and password.
> > >
> > > This will not work for me. My browser does not show a login
> window.
> > > It only shows it when I restart my browser.
> > >
> > > I use basic authentication with the standard tomcat memory realm.
> > >
> > > I hope I'm clear in my story.
> > >
> > > Can anybody point me in the right direction.
> > >
> > > Werner
> > >
> > >
> >
> ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> 
> > > For additional commands, e-mail:
> tomcat-user-help@jakarta.apache.org
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> >
> 
> The information contained in this email and any attachments to it:
> 
> (a) may be confidential and if you are not the intended recipient, any interference with,
> use, disclosure or copying of this material is unauthorised and prohibited; and
> 
> (b) may contain personal information of the recipient and/or the sender as defined
> under the Privacy Act 1988 (Cth). Consent is hereby given by the recipient(s) to
> collect, hold and use such information and any personal information contained in a
> response to this email, for any reasonable purpose in the ordinary course of
> Spherion's
> business, including forwarding this email internally or disclosing it to a third party.
All
> personal information collected by Spherion will be handled in accordance with
> Spherion's Privacy Policy. If you have received this email in error, please notify the
> sender and delete it.
> 
> (c) you agree not to employ or arrange employment for any candidate(s) supplied in
> this email and any attachments without first entering into a contractual agreement with
> Spherion. You further agree not to divulge any information contained in this document
> to any person(s) or entities without the express permission of Spherion.
> 
>     ---------------------------------------------------------------
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message