tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mayne, Peter" <PeterMa...@ap.spherion.com>
Subject RE: logout and login again
Date Sun, 18 May 2003 23:54:39 GMT
Do you know of any browsers that don't send the basic authentication header
with every request?

Your last paragraph is an excellent generalisation. :-)

PJDM
-- 
Peter Mayne
Technology Consultant
Spherion Technology Solutions
Level 1, 243 Northbourne Avenue, Lyneham, ACT, 2602
T: 61 2 62689727  F: 61 2 62689777

> -----Original Message-----
> From: G. Wade Johnson [mailto:wade.johnson@abbnm.com] 
> Sent: Saturday, 17 May 2003 12:00 AM
> To: Tomcat Users List
> Subject: Re: logout and login again
> 
> 
> Almost... From RFC 2617,
> 
>    A client SHOULD assume that all paths at or deeper than 
> the depth of
>    the last symbolic element in the path field of the Request-URI also
>    are within the protection space specified by the Basic 
> realm value of
>    the current challenge. A client MAY preemptively send the
>    corresponding Authorization header with requests for resources in
>    that space without receipt of another challenge from the server.
> 
> So the browser may send the userid and password each time (if the
> request is deeper in the tree), but it's not required to.
> 
> In other words, if you don't want the browser to do this...it will,
> and if you rely on the browser to do this...a browser somewhere won't.
> <grin/>
> 
> G. Wade
> 
> 
> > "Mayne, Peter" wrote:
> > 
> > Not quite. When basic authentication is used, the browser sends the
> > username/password with every request. Invalidating the session will
> > not cause the server to rerequest the authentication, because the
> > browser sends it anyway.
> > 
> > Obviously, invalidating the session at the server will have 
> no effect,
> > because authentication happens without user intervention on every
> > request subsequent to the initial login.
> > 
> > There is no way to stop the browser sending the 
> username/password with
> > basic authentication, so stopping and starting it is the 
> only thing to
> > do.
> > 
> > PJDM
> > --
> > Peter Mayne
> > Technology Consultant
> > Spherion Technology Solutions
> > Level 1, 243 Northbourne Avenue, Lyneham, ACT, 2602
> > T: 61 2 62689727  F: 61 2 62689777
> > 
> > > -----Original Message-----
> > > From: G. Wade Johnson [mailto:wade.johnson@abbnm.com]
> > > Sent: Friday, 16 May 2003 12:47 AM
> > > To: Tomcat Users List
> > > Subject: Re: logout and login again
> > >
> > >
> > > One surprise with the BASIC authentication is that the browser
> > retains
> > > the userid and password you enter until it is restarted.
> > >
> > > When you invalidate the session, your server will rerequest the
> > basic
> > > authentication from the browser. The browser finds that it already
> > has
> > > a userid and password for this server/realm combination 
> and sends it
> > 
> > > without bothering the end user.
> > >
> > > G. Wade
> > >
> > > Werner van Mook wrote:
> > > >
> > > > Hi,
> > > >
> > > > I'm new to this list so forgive me if this questions has been
> > asked
> > > > before.
> > > > (although I couldn't find it in the archives).
> > > >
> > > > I have a web app for which a user has to log in with a name and
> > > > password.
> > > > I give the users a way to logout by invalidating the
> > > current session.
> > > >
> > > > Now it should be possible to go back to the page where you
> > > have to log
> > > > in and ask for the name and password.
> > > >
> > > > This will not work for me. My browser does not show a login
> > window.
> > > > It only shows it when I restart my browser.
> > > >
> > > > I use basic authentication with the standard tomcat 
> memory realm.
> > > >
> > > > I hope I'm clear in my story.
> > > >
> > > > Can anybody point me in the right direction.
> > > >
> > > > Werner
> > > >
> > > >
> > >
> > 
> ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: 
> tomcat-user-unsubscribe@jakarta.apache.org
> > 
> > > > For additional commands, e-mail:
> > tomcat-user-help@jakarta.apache.org
> > >
> > >
> > 
> ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail: 
> tomcat-user-help@jakarta.apache.org
> > 
> > >
> > 
> > The information contained in this email and any attachments to it:
> > 
> > (a) may be confidential and if you are not the intended 
> recipient, any interference with,
> > use, disclosure or copying of this material is unauthorised 
> and prohibited; and
> > 
> > (b) may contain personal information of the recipient 
> and/or the sender as defined
> > under the Privacy Act 1988 (Cth). Consent is hereby given 
> by the recipient(s) to
> > collect, hold and use such information and any personal 
> information contained in a
> > response to this email, for any reasonable purpose in the 
> ordinary course of
> > Spherion's
> > business, including forwarding this email internally or 
> disclosing it to a third party. All
> > personal information collected by Spherion will be handled 
> in accordance with
> > Spherion's Privacy Policy. If you have received this email 
> in error, please notify the
> > sender and delete it.
> > 
> > (c) you agree not to employ or arrange employment for any 
> candidate(s) supplied in
> > this email and any attachments without first entering into 
> a contractual agreement with
> > Spherion. You further agree not to divulge any information 
> contained in this document
> > to any person(s) or entities without the express permission 
> of Spherion.
> > 
> >     ---------------------------------------------------------------
> > 
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 

The information contained in this email and any attachments to it:

(a) may be confidential and if you are not the intended recipient, any interference with,

use, disclosure or copying of this material is unauthorised and prohibited; and

(b) may contain personal information of the recipient and/or the sender as defined 
under the Privacy Act 1988 (Cth). Consent is hereby given by the recipient(s) to 
collect, hold and use such information and any personal information contained in a 
response to this email, for any reasonable purpose in the ordinary course of 
Spherion's 
business, including forwarding this email internally or disclosing it to a third party. All

personal information collected by Spherion will be handled in accordance with 
Spherion's Privacy Policy. If you have received this email in error, please notify the 
sender and delete it.

(c) you agree not to employ or arrange employment for any candidate(s) supplied in 
this email and any attachments without first entering into a contractual agreement with 
Spherion. You further agree not to divulge any information contained in this document 
to any person(s) or entities without the express permission of Spherion.



Mime
View raw message