RE: logout and login again

From tomcat-user-return-64527-qmlist-jakarta-archive-tomcat-user=nagoya.apache.org@jakarta.apache.org Sun May 18 23:54:51 2003 Return-Path: Delivered-To: apmail-jakarta-tomcat-user-archive@apache.org Received: (qmail 60235 invoked from network); 18 May 2003 23:54:50 -0000 Received: from exchange.sun.com (192.18.33.10) by daedalus.apache.org with SMTP; 18 May 2003 23:54:50 -0000 Received: (qmail 24180 invoked by uid 97); 18 May 2003 23:57:04 -0000 Delivered-To: qmlist-jakarta-archive-tomcat-user@nagoya.betaversion.org Received: (qmail 24173 invoked from network); 18 May 2003 23:57:04 -0000 Received: from daedalus.apache.org (HELO apache.org) (208.185.179.12) by nagoya.betaversion.org with SMTP; 18 May 2003 23:57:04 -0000 Received: (qmail 58855 invoked by uid 500); 18 May 2003 23:54:37 -0000 Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Users List" Reply-To: "Tomcat Users List" Delivered-To: mailing list tomcat-user@jakarta.apache.org Received: (qmail 58841 invoked from network); 18 May 2003 23:54:36 -0000 Received: from sp-cbr01-cms.spherion.com.au (203.34.233.72) by daedalus.apache.org with SMTP; 18 May 2003 23:54:36 -0000 Received: through eSafe SMTP Relay 1053294219; Mon May 19 09:54:37 2003 Received: from 138.79.222.11 by S-F003029.dmz.sgl.com.au (InterScan E-Mail VirusWall NT); Mon, 19 May 2003 09:54:35 +1000 Received: by s-f003016.bhcbr.cpg.com.au with Internet Mail Service (5.5.2656.59) id ; Mon, 19 May 2003 09:55:21 +1000 Message-ID: <5E9DE07827946946A62B84765DE84D74015FFC8D@s-f003004.cbr.cpg.com.au> From: "Mayne, Peter" To: 'Tomcat Users List' Subject: RE: logout and login again Date: Mon, 19 May 2003 09:54:39 +1000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2656.59) Content-Type: multipart/mixed; boundary="----=_NextPartTM-000-b07b2fb0-5378-49d8-953d-3cc1c55736a2" X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N ------=_NextPartTM-000-b07b2fb0-5378-49d8-953d-3cc1c55736a2 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C31D98.D7F22130" ------_=_NextPart_001_01C31D98.D7F22130 Content-Type: text/plain Do you know of any browsers that don't send the basic authentication header with every request? Your last paragraph is an excellent generalisation. :-) PJDM -- Peter Mayne Technology Consultant Spherion Technology Solutions Level 1, 243 Northbourne Avenue, Lyneham, ACT, 2602 T: 61 2 62689727 F: 61 2 62689777 > -----Original Message----- > From: G. Wade Johnson [mailto:wade.johnson@abbnm.com] > Sent: Saturday, 17 May 2003 12:00 AM > To: Tomcat Users List > Subject: Re: logout and login again > > > Almost... From RFC 2617, > > A client SHOULD assume that all paths at or deeper than > the depth of > the last symbolic element in the path field of the Request-URI also > are within the protection space specified by the Basic > realm value of > the current challenge. A client MAY preemptively send the > corresponding Authorization header with requests for resources in > that space without receipt of another challenge from the server. > > So the browser may send the userid and password each time (if the > request is deeper in the tree), but it's not required to. > > In other words, if you don't want the browser to do this...it will, > and if you rely on the browser to do this...a browser somewhere won't. > > > G. Wade > > > > "Mayne, Peter" wrote: > > > > Not quite. When basic authentication is used, the browser sends the > > username/password with every request. Invalidating the session will > > not cause the server to rerequest the authentication, because the > > browser sends it anyway. > > > > Obviously, invalidating the session at the server will have > no effect, > > because authentication happens without user intervention on every > > request subsequent to the initial login. > > > > There is no way to stop the browser sending the > username/password with > > basic authentication, so stopping and starting it is the > only thing to > > do. > > > > PJDM > > -- > > Peter Mayne > > Technology Consultant > > Spherion Technology Solutions > > Level 1, 243 Northbourne Avenue, Lyneham, ACT, 2602 > > T: 61 2 62689727 F: 61 2 62689777 > > > > > -----Original Message----- > > > From: G. Wade Johnson [mailto:wade.johnson@abbnm.com] > > > Sent: Friday, 16 May 2003 12:47 AM > > > To: Tomcat Users List > > > Subject: Re: logout and login again > > > > > > > > > One surprise with the BASIC authentication is that the browser > > retains > > > the userid and password you enter until it is restarted. > > > > > > When you invalidate the session, your server will rerequest the > > basic > > > authentication from the browser. The browser finds that it already > > has > > > a userid and password for this server/realm combination > and sends it > > > > > without bothering the end user. > > > > > > G. Wade > > > > > > Werner van Mook wrote: > > > > > > > > Hi, > > > > > > > > I'm new to this list so forgive me if this questions has been > > asked > > > > before. > > > > (although I couldn't find it in the archives). > > > > > > > > I have a web app for which a user has to log in with a name and > > > > password. > > > > I give the users a way to logout by invalidating the > > > current session. > > > > > > > > Now it should be possible to go back to the page where you > > > have to log > > > > in and ask for the name and password. > > > > > > > > This will not work for me. My browser does not show a login > > window. > > > > It only shows it when I restart my browser. > > > > > > > > I use basic authentication with the standard tomcat > memory realm. > > > > > > > > I hope I'm clear in my story. > > > > > > > > Can anybody point me in the right direction. > > > > > > > > Werner > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: > tomcat-user-unsubscribe@jakarta.apache.org > > > > > > For additional commands, e-mail: > > tomcat-user-help@jakarta.apache.org > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org > > > For additional commands, e-mail: > tomcat-user-help@jakarta.apache.org > > > > > > > > > The information contained in this email and any attachments to it: > > > > (a) may be confidential and if you are not the intended > recipient, any interference with, > > use, disclosure or copying of this material is unauthorised > and prohibited; and > > > > (b) may contain personal information of the recipient > and/or the sender as defined > > under the Privacy Act 1988 (Cth). Consent is hereby given > by the recipient(s) to > > collect, hold and use such information and any personal > information contained in a > > response to this email, for any reasonable purpose in the > ordinary course of > > Spherion's > > business, including forwarding this email internally or > disclosing it to a third party. All > > personal information collected by Spherion will be handled > in accordance with > > Spherion's Privacy Policy. If you have received this email > in error, please notify the > > sender and delete it. > > > > (c) you agree not to employ or arrange employment for any > candidate(s) supplied in > > this email and any attachments without first entering into > a contractual agreement with > > Spherion. You further agree not to divulge any information > contained in this document > > to any person(s) or entities without the express permission > of Spherion. > > > > --------------------------------------------------------------- > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org > > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org > > --------------------------------------------------------------------- > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org > The information contained in this email and any attachments to it: (a) may be confidential and if you are not the intended recipient, any interference with, use, disclosure or copying of this material is unauthorised and prohibited; and (b) may contain personal information of the recipient and/or the sender as defined under the Privacy Act 1988 (Cth). Consent is hereby given by the recipient(s) to collect, hold and use such information and any personal information contained in a response to this email, for any reasonable purpose in the ordinary course of Spherion's business, including forwarding this email internally or disclosing it to a third party. All personal information collected by Spherion will be handled in accordance with Spherion's Privacy Policy. If you have received this email in error, please notify the sender and delete it. (c) you agree not to employ or arrange employment for any candidate(s) supplied in this email and any attachments without first entering into a contractual agreement with Spherion. You further agree not to divulge any information contained in this document to any person(s) or entities without the express permission of Spherion. ------_=_NextPart_001_01C31D98.D7F22130 Content-Type: text/html RE: logout and login again

Do you know of any browsers that don't send the basic authentication header with every request?

Your last paragraph is an excellent generalisation. :-)

PJDM
--
Peter Mayne
Technology Consultant
Spherion Technology Solutions
Level 1, 243 Northbourne Avenue, Lyneham, ACT, 2602
T: 61 2 62689727 F: 61 2 62689777

> -----Original Message-----
> From: G. Wade Johnson [mailto:wade.johnson@abbnm.com]
> Sent: Saturday, 17 May 2003 12:00 AM
> To: Tomcat Users List
> Subject: Re: logout and login again
>
>
> Almost... From RFC 2617,
>
>    A client SHOULD assume that all paths at or deeper than
> the depth of
>    the last symbolic element in the path field of the Request-URI also
>    are within the protection space specified by the Basic
> realm value of
>    the current challenge. A client MAY preemptively send the
>    corresponding Authorization header with requests for resources in
>    that space without receipt of another challenge from the server.
>
> So the browser may send the userid and password each time (if the
> request is deeper in the tree), but it's not required to.
>
> In other words, if you don't want the browser to do this...it will,
> and if you rely on the browser to do this...a browser somewhere won't.
> <grin/>
>
> G. Wade
>
>
> > "Mayne, Peter" wrote:
> >
> > Not quite. When basic authentication is used, the browser sends the
> > username/password with every request. Invalidating the session will
> > not cause the server to rerequest the authentication, because the
> > browser sends it anyway.
> >
> > Obviously, invalidating the session at the server will have
> no effect,
> > because authentication happens without user intervention on every
> > request subsequent to the initial login.
> >
> > There is no way to stop the browser sending the
> username/password with
> > basic authentication, so stopping and starting it is the
> only thing to
> > do.
> >
> > PJDM
> > --
> > Peter Mayne
> > Technology Consultant
> > Spherion Technology Solutions
> > Level 1, 243 Northbourne Avenue, Lyneham, ACT, 2602
> > T: 61 2 62689727 F: 61 2 62689777
> >
> > > -----Original Message-----
> > > From: G. Wade Johnson [mailto:wade.johnson@abbnm.com]
> > > Sent: Friday, 16 May 2003 12:47 AM
> > > To: Tomcat Users List
> > > Subject: Re: logout and login again
> > >
> > >
> > > One surprise with the BASIC authentication is that the browser
> > retains
> > > the userid and password you enter until it is restarted.
> > >
> > > When you invalidate the session, your server will rerequest the
> > basic
> > > authentication from the browser. The browser finds that it already
> > has
> > > a userid and password for this server/realm combination
> and sends it
> >
> > > without bothering the end user.
> > >
> > > G. Wade
> > >
> > > Werner van Mook wrote:
> > > >
> > > > Hi,
> > > >
> > > > I'm new to this list so forgive me if this questions has been
> > asked
> > > > before.
> > > > (although I couldn't find it in the archives).
> > > >
> > > > I have a web app for which a user has to log in with a name and
> > > > password.
> > > > I give the users a way to logout by invalidating the
> > > current session.
> > > >
> > > > Now it should be possible to go back to the page where you
> > > have to log
> > > > in and ask for the name and password.
> > > >
> > > > This will not work for me. My browser does not show a login
> > window.
> > > > It only shows it when I restart my browser.
> > > >
> > > > I use basic authentication with the standard tomcat
> memory realm.
> > > >
> > > > I hope I'm clear in my story.
> > > >
> > > > Can anybody point me in the right direction.
> > > >
> > > > Werner
> > > >
> > > >
> > >
> >
> ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail:
> tomcat-user-unsubscribe@jakarta.apache.org
> >
> > > > For additional commands, e-mail:
> > tomcat-user-help@jakarta.apache.org
> > >
> > >
> >
> ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail:
> tomcat-user-help@jakarta.apache.org
> >
> > >
> >
> > The information contained in this email and any attachments to it:
> >
> > (a) may be confidential and if you are not the intended
> recipient, any interference with,
> > use, disclosure or copying of this material is unauthorised
> and prohibited; and
> >
> > (b) may contain personal information of the recipient
> and/or the sender as defined
> > under the Privacy Act 1988 (Cth). Consent is hereby given
> by the recipient(s) to
> > collect, hold and use such information and any personal
> information contained in a
> > response to this email, for any reasonable purpose in the
> ordinary course of
> > Spherion's
> > business, including forwarding this email internally or
> disclosing it to a third party. All
> > personal information collected by Spherion will be handled
> in accordance with
> > Spherion's Privacy Policy. If you have received this email
> in error, please notify the
> > sender and delete it.
> >
> > (c) you agree not to employ or arrange employment for any
> candidate(s) supplied in
> > this email and any attachments without first entering into
> a contractual agreement with
> > Spherion. You further agree not to divulge any information
> contained in this document
> > to any person(s) or entities without the express permission
> of Spherion.
> >
> >     ---------------------------------------------------------------
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>

The information contained in this email and any attachments to it:

(a) may be confidential and if you are not the intended recipient, any interference with, 
use, disclosure or copying of this material is unauthorised and prohibited; and

(b) may contain personal information of the recipient and/or the sender as defined 
under the Privacy Act 1988 (Cth). Consent is hereby given by the recipient(s) to 
collect, hold and use such information and any personal information contained in a 
response to this email, for any reasonable purpose in the ordinary course of 
Spherion's 
business, including forwarding this email internally or disclosing it to a third party. All 
personal information collected by Spherion will be handled in accordance with 
Spherion's Privacy Policy. If you have received this email in error, please notify the 
sender and delete it.

(c) you agree not to employ or arrange employment for any candidate(s) supplied in 
this email and any attachments without first entering into a contractual agreement with 
Spherion. You further agree not to divulge any information contained in this document 
to any person(s) or entities without the express permission of Spherion.

------_=_NextPart_001_01C31D98.D7F22130-- ------=_NextPartTM-000-b07b2fb0-5378-49d8-953d-3cc1c55736a2 Content-Type: text/plain; charset=us-ascii --------------------------------------------------------------------- To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org For additional commands, e-mail: tomcat-user-help@jakarta.apache.org ------=_NextPartTM-000-b07b2fb0-5378-49d8-953d-3cc1c55736a2--