You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Robert r. Sanders" <ro...@ipov.net> on 2005/04/20 18:07:05 UTC
Re: Can't do logout in basic authentication
You can try google:
http://www.modpython.org/pipermail/mod_python/2001-August/012120.html
Otgonbayar wrote:
>I am using basic authentication in my application and I need to create
>logout link in my JSP that does LOGOUT.
>It seems session.invalidate() doesn't work.
>How can I do this? Please help me!
>Thanks
>Otgo
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
--
Robert r. Sanders
Chief Technologist
iPOV
(334) 821-5412
www.ipov.net
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Can't do logout in basic authentication
Posted by Jess Holle <je...@ptc.com>.
P.S. Freeing one's *session* on leaving works with any type of
authentication and makes sense in many cases -- it's just harder to
communicate this concept to the user...
Jess Holle wrote:
> In most applications this is one of those *perceived* problems that
> corporate users get uptight about.
>
> The best way to prevent abuse of an idle authenticated browser window
> is a screensaver with password lock -- as it protects the rest of the
> computer, the documents thereon, etc.
>
> The only really good case for a logout is where you have a shared
> computer with many different users coming and going -- and all using a
> single "guest" account on the client itself rather than separate
> logins. In this case a "logoff" button that closed down the browser
> would not be a half bad idea :-)
>
> --
> Jess Holle
>
> P.S. Yes, I know transfering the name/password only on initial
> authentication and using a session key of some sort from thereon out
> is fractionally more secure -- but you still need HTTPS to really be
> secure in either case.
Re: Can't do logout in basic authentication
Posted by Jess Holle <je...@ptc.com>.
In most applications this is one of those *perceived* problems that
corporate users get uptight about.
The best way to prevent abuse of an idle authenticated browser window is
a screensaver with password lock -- as it protects the rest of the
computer, the documents thereon, etc.
The only really good case for a logout is where you have a shared
computer with many different users coming and going -- and all using a
single "guest" account on the client itself rather than separate
logins. In this case a "logoff" button that closed down the browser
would not be a half bad idea :-)
--
Jess Holle
P.S. Yes, I know transfering the name/password only on initial
authentication and using a session key of some sort from thereon out is
fractionally more secure -- but you still need HTTPS to really be secure
in either case.
Robert Harper wrote:
>If you read the docs on BASIC authentication, you will find that the browser
>caches the login information and will provide it every time you return to
>that site. The way to log out is to close the browser. Apparently this has
>been a problem for web developers for some time. Browser developers have not
>seen this as a problem. Instead they seem to feel that the caching is a
>benefit to the user by not requiring them to renter the same information.
>
>Robert S. Harper
>801.265.8800 ext. 255
>robert@iat-cti.com
>-----Original Message-----
>From: Robert r. Sanders [mailto:robert.sanders@ipov.net]
>Sent: Wednesday, April 20, 2005 10:07 AM
>To: Tomcat Users List
>Subject: Re: Can't do logout in basic authentication
>
>You can try google:
>http://www.modpython.org/pipermail/mod_python/2001-August/012120.html
>
>Otgonbayar wrote:
>
>
>>I am using basic authentication in my application and I need to create
>>logout link in my JSP that does LOGOUT.
>>It seems session.invalidate() doesn't work.
>>How can I do this? Please help me!
>>Thanks
>>Otgo
>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>>
>>
>>
>>
>
>
>
RE: Can't do logout in basic authentication
Posted by Robert Harper <ro...@iat-cti.com>.
If you read the docs on BASIC authentication, you will find that the browser
caches the login information and will provide it every time you return to
that site. The way to log out is to close the browser. Apparently this has
been a problem for web developers for some time. Browser developers have not
seen this as a problem. Instead they seem to feel that the caching is a
benefit to the user by not requiring them to renter the same information.
Robert S. Harper
801.265.8800 ext. 255
robert@iat-cti.com
-----Original Message-----
From: Robert r. Sanders [mailto:robert.sanders@ipov.net]
Sent: Wednesday, April 20, 2005 10:07 AM
To: Tomcat Users List
Subject: Re: Can't do logout in basic authentication
You can try google:
http://www.modpython.org/pipermail/mod_python/2001-August/012120.html
Otgonbayar wrote:
>I am using basic authentication in my application and I need to create
>logout link in my JSP that does LOGOUT.
>It seems session.invalidate() doesn't work.
>How can I do this? Please help me!
>Thanks
>Otgo
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
--
Robert r. Sanders
Chief Technologist
iPOV
(334) 821-5412
www.ipov.net
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org