In most applications this is one of those *perceived* problems that
corporate users get uptight about.
The best way to prevent abuse of an idle authenticated browser window is
a screensaver with password lock -- as it protects the rest of the
computer, the documents thereon, etc.
The only really good case for a logout is where you have a shared
computer with many different users coming and going -- and all using a
single "guest" account on the client itself rather than separate
logins. In this case a "logoff" button that closed down the browser
would not be a half bad idea :-)
--
Jess Holle
P.S. Yes, I know transfering the name/password only on initial
authentication and using a session key of some sort from thereon out is
fractionally more secure -- but you still need HTTPS to really be secure
in either case.
Robert Harper wrote:
>If you read the docs on BASIC authentication, you will find that the browser
>caches the login information and will provide it every time you return to
>that site. The way to log out is to close the browser. Apparently this has
>been a problem for web developers for some time. Browser developers have not
>seen this as a problem. Instead they seem to feel that the caching is a
>benefit to the user by not requiring them to renter the same information.
>
>Robert S. Harper
>801.265.8800 ext. 255
>robert@iat-cti.com
>-----Original Message-----
>From: Robert r. Sanders [mailto:robert.sanders@ipov.net]
>Sent: Wednesday, April 20, 2005 10:07 AM
>To: Tomcat Users List
>Subject: Re: Can't do logout in basic authentication
>
>You can try google:
>http://www.modpython.org/pipermail/mod_python/2001-August/012120.html
>
>Otgonbayar wrote:
>
>
>>I am using basic authentication in my application and I need to create
>>logout link in my JSP that does LOGOUT.
>>It seems session.invalidate() doesn't work.
>>How can I do this? Please help me!
>>Thanks
>>Otgo
>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>>
>>
>>
>>
>
>
>
|