tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jess Holle <>
Subject Re: Can't do logout in basic authentication
Date Wed, 20 Apr 2005 17:28:46 GMT
P.S.  Freeing one's *session* on leaving works with any type of 
authentication and makes sense in many cases -- it's just harder to 
communicate this concept to the user...

Jess Holle wrote:

> In most applications this is one of those *perceived* problems that 
> corporate users get uptight about.
> The best way to prevent abuse of an idle authenticated browser window 
> is a screensaver with password lock -- as it protects the rest of the 
> computer, the documents thereon, etc.
> The only really good case for a logout is where you have a shared 
> computer with many different users coming and going -- and all using a 
> single "guest" account on the client itself rather than separate 
> logins.  In this case a "logoff" button that closed down the browser 
> would not be a half bad idea :-)
> --
> Jess Holle
> P.S.  Yes, I know transfering the name/password only on initial 
> authentication and using a session key of some sort from thereon out 
> is fractionally more secure -- but you still need HTTPS to really be 
> secure in either case.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message