Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
Message-Id: <5.2.0.9.2.20030710122252.03b81e48@shell.visi.com>
Date: Thu, 10 Jul 2003 12:29:05 -0500
To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
From: Jacob Kjome <hoju@visi.com>
Subject: RE: JDBCRealm - Session not timing out
In-Reply-To: <011d01c34706$92948a50$6f00000a@BALTHAZAR>
References: <5.2.0.9.2.20030710111231.028a70e8@shell.visi.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed

There is a fundamental difference between Basic AUTH and the 
HttpSession.  The former gets you general access to the application.  The 
latter is used for persistence of data across a given amount of time.  So, 
if the user let their session time out, but their browser is still open so 
the Basic AUTH gets resent automatically, you'd just start them over with a 
new session.  Don't make any assumptions that Basic AUTH and the 
HttpSession know anything about each other.

The only thing that might break is the logic in your own app if you fail to 
recognize the difference between authentication and the session.

Jake


At 12:13 PM 7/10/2003 -0500, you wrote:
>I had thought (and replied so in a separate thread) that BASIC auth
>would also time out.  But even if it doesn't...  How could J2EE work, if
>the following didn't happen:
>
>1. User gets authenticated with BASIC AUTH
>2. User lets their session timeout
>3. User requests a protected page.
>4. container asks for credentials
>5. browser sends them
>6. container says: "those credentials are for an expired session, I'm
>re-auth'ing you"
>7. you get the OS-level prompt to login again.
>
>If this *doesn't* happen, then isn't using BASIC AUTH to protect your
>resources bound to break your app at some point?  Ex: shopping cart
>beans in the session (that is no longer there, even though you are still
>'authenticated').
>
>Hopefully a Tomcat commiter will help us out.
>
>I'd give this all a try myself, but it's lunchtime!  ;)
>
>
>
> > -----Original Message-----
> > From: Jacob Kjome [mailto:hoju@visi.com]
> > Sent: Thursday, July 10, 2003 11:16 AM
> > To: Tomcat Users List
> > Subject: Re: JDBCRealm - Session not timing out
> >
> >
> > At 12:09 PM 7/10/2003 -0400, you wrote:
> > >Should my JDBCRealm login reset when the session times out?
> > >
> > >I have tried it in both Basic AUTH and Form AUTH.
> > >My session never times out.
> >
> > I'm not entirely sure about Form AUTH, but Basic AUTH doesn't use
> > sessions.  The browser caches the login information provided
> > and re-sends
> > it on each request.  So, there is no real "time out" for
> > Basic AUTH.  The
> > only equivalent would be to close all open browsers.  This
> > deletes the
> > cache of the Basic AUTH credentials forcing the user to
> > re-enter it once a
> > new browser is opened and the protected web site is re-visited.
> >
> > Jake
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org