tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rick Roberts <>
Subject Re: JDBCRealm - Session not timing out
Date Thu, 10 Jul 2003 17:55:33 GMT
 > I'm not entirely sure about Form AUTH, but Basic AUTH doesn't use
 > sessions.  The browser caches the login information provided and
 > re-sends it on each request.  So, there is no real "time out" for Basic
 > AUTH.  The only equivalent would be to close all open browsers.  This
 > deletes the cache of the Basic AUTH credentials forcing the user to
 > re-enter it once a new browser is opened and the protected web site is
 > re-visited.

And that is exactly why Basic AUTH is unacceptable.  The only way to login-in 
with different user credentials is to kill all instances of your browser.

I have seen references (hints) about invalidating the session to force a 
re-login.  However; I can not find any information that explains how / when the 
session is created or how I can use that session.

(I use frequently use session objects and am familiar with how they work, but 
using JDBCRealm is new to me)

When I set up for Form AUTH and navigate to the test URL, I see the following:


Which seems to indicate that a session has been created.

Now, if it has been created, how can I use it?  I would like to add my objects 
to the session object.

* Rick Roberts                            *
* Advanced Information Technologies, Inc. *

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message