tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Example to logout on Tomcat 7 and SSL + Realm
Date Fri, 16 Sep 2011 17:38:08 GMT

Christopher Schultz wrote:
> Why do you think that HttpSession.invalidate() should act as a log out
> mechanism when using CLIENT-CERT authentication?
I guess that where the OP (and I) get a little confused is in the distinction between the

state of "having a session" and "being logged-in", and maybe the sequence in which these 
things happen.

But we are willing to be educated (or at least I am) (and the other thread you mention is

not really very explcit in that respect).

So let's say

1) a browser sends a first request to Tomcat, and this happens to be directed to an 
application which requires authentication (container-driven).

2) Tomcat intercepts the request (because of the authentication requirement), sends back 
something to the browser which tells the browser (or the user) to supply credentials.

3) the browser (or the user) supplies the credentials along with a subsequent request

4) Tomcat intercepts this again, verifies the credentials, and if they "fit", allows the 
request (now "authenticated") to proceed to the application which had been requested in 
the first place.

(and I know that there is some variety in the above, depending on the type of 
authentication, but roughly that's it, no ?)

5) then the request hits the application, and it is the application which "decides" if a 
session is created or not. Yes ?

And if it decides so, this creates some storage place for this "session thing", and makes

it so that a cookie will later be sent back to the browser, with an id pointing to this 
session storage thing, so that a subsequent request which provides this cookie, allows the

application to retrieve the saved session and its contents prior to handling the next request.

Now what is maybe less clear, is whether the "session thing" which was created, contains 
or not the authentication data.
And if yes : a "session invalidate" should delete the "session thing" (and the contained 
authentication info), and this should have the effect that when the browser sends a 
subsequent request, it will find a "no session yet" situation.

Obviously though, "no session" does not necessarily mean "not authenticated", but this is

I believe where the OP (and I) are getting confused.

Can you enlighten us ?

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message