tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jess Holle <>
Subject Re: Can't do logout in basic authentication
Date Wed, 20 Apr 2005 17:12:26 GMT
In most applications this is one of those *perceived* problems that 
corporate users get uptight about.

The best way to prevent abuse of an idle authenticated browser window is 
a screensaver with password lock -- as it protects the rest of the 
computer, the documents thereon, etc.

The only really good case for a logout is where you have a shared 
computer with many different users coming and going -- and all using a 
single "guest" account on the client itself rather than separate 
logins.  In this case a "logoff" button that closed down the browser 
would not be a half bad idea :-)

Jess Holle

P.S.  Yes, I know transfering the name/password only on initial 
authentication and using a session key of some sort from thereon out is 
fractionally more secure -- but you still need HTTPS to really be secure 
in either case.

Robert Harper wrote:

>If you read the docs on BASIC authentication, you will find that the browser
>caches the login information and will provide it every time you return to
>that site. The way to log out is to close the browser. Apparently this has
>been a problem for web developers for some time. Browser developers have not
>seen this as a problem. Instead they seem to feel that the caching is a
>benefit to the user by not requiring them to renter the same information.
>Robert S. Harper
>801.265.8800 ext. 255
>-----Original Message-----
>From: Robert r. Sanders [] 
>Sent: Wednesday, April 20, 2005 10:07 AM
>To: Tomcat Users List
>Subject: Re: Can't do logout in basic authentication
>You can try google:  
>Otgonbayar wrote:
>>I am using basic authentication in my application and I need to create
>>logout link in my JSP that does LOGOUT. 
>>It seems session.invalidate() doesn't work.
>>How can I do this? Please help me!
>>To unsubscribe, e-mail:
>>For additional commands, e-mail:

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message