tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mike Curwen" <>
Subject RE: JDBCRealm - Session not timing out
Date Thu, 10 Jul 2003 17:13:24 GMT
I had thought (and replied so in a separate thread) that BASIC auth
would also time out.  But even if it doesn't...  How could J2EE work, if
the following didn't happen:

1. User gets authenticated with BASIC AUTH
2. User lets their session timeout
3. User requests a protected page.
4. container asks for credentials
5. browser sends them
6. container says: "those credentials are for an expired session, I'm
re-auth'ing you"
7. you get the OS-level prompt to login again.
If this *doesn't* happen, then isn't using BASIC AUTH to protect your
resources bound to break your app at some point?  Ex: shopping cart
beans in the session (that is no longer there, even though you are still

Hopefully a Tomcat commiter will help us out.  

I'd give this all a try myself, but it's lunchtime!  ;)

> -----Original Message-----
> From: Jacob Kjome [] 
> Sent: Thursday, July 10, 2003 11:16 AM
> To: Tomcat Users List
> Subject: Re: JDBCRealm - Session not timing out
> At 12:09 PM 7/10/2003 -0400, you wrote:
> >Should my JDBCRealm login reset when the session times out?
> >
> >I have tried it in both Basic AUTH and Form AUTH.
> >My session never times out.
> I'm not entirely sure about Form AUTH, but Basic AUTH doesn't use 
> sessions.  The browser caches the login information provided 
> and re-sends 
> it on each request.  So, there is no real "time out" for 
> Basic AUTH.  The 
> only equivalent would be to close all open browsers.  This 
> deletes the 
> cache of the Basic AUTH credentials forcing the user to 
> re-enter it once a 
> new browser is opened and the protected web site is re-visited.
> Jake
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message