You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by af...@zipmail.com on 2002/12/16 18:58:13 UTC
Invalidate Session Problem
Hello,
I want to thanks the help for the other problem and ask
another thing.
It is about invalidating a session.
While I was using the FORM to log into the apps I was able
to invalidate my session, but now I am using the BASIC and
it is not working.
I read in some places that it may be a bug, is it and how
can I invalidate the session with other way?
Thanks.
Ricardo Costa.
________________________________________________
Don't E-Mail, ZipMail! http://www.zipmail.com/
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Invalidate Session Problem
Posted by Mike W-M <mi...@ward-murphy.co.uk>.
No, there isn't a way to force it. It's stated as a know problem in
whichever RFC it is that defines the HTTP Basic Authentication mechanism.
Other Mike.
----- Original Message -----
From: <af...@zipmail.com>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Tuesday, December 17, 2002 12:11 PM
Subject: Re: Invalidate Session Problem
I read your text many times but couldn't get to a
conclusion.
So, isn't there a way to force a logout and let the user
authenticate again? At least with BASIC.
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Invalidate Session Problem
Posted by af...@zipmail.com.
I read your text many times but couldn't get to a
conclusion.
So, isn't there a way to force a logout and let the user
authenticate again? At least with BASIC.
On Mon, 16 Dec 2002 13:27:48 -0500
"Michael Nicholson" <ma...@email.unc.edu> wrote:
>>>From what I understand, the authorization header using
> BASIC authentication
>has a terrible way of hanging around in most (if not all)
> browsers. When
>you access the protected resource, and the browser
> receives the
>'authentication needed' header, the browser returns
> whatever it has stored
>in its memory (i.e., your last login). I haven't heard of
> any sure-fire
>ways of stopping that, other than to restart the browser.
>
>This isn't, however, quite the same thing as invalidating
> a session.
>Invalidating a session simply means that the container
> (tomcat) is going to
>have to create a new session whenever you use
> request.getSession() (unless
>you use request.getSession(false) which will probably
> throw an exception) or
>browse to a jsp that hasn't been told not to use sessions.
> And the new
>session will have nothing in it that was put in it before
> the
>session.invalidate() call.
>
>I've never really looked at form based authentication;
> does it possibly
>store some sort of user credential in the session, which
> is therefore
>removed when the session is invalidated (effectively
> removed, anyhow, as I
>suppose it's still sitting in that invalidated session
> until garbage
>collection...), forcing another login? But basic
> authentication, at least
>as I understand it, doesn't store it that way. It gets
> stored in a header,
>and in the browser.
>
>Mike
>----- Original Message -----
>From: <af...@zipmail.com>
>To: <to...@jakarta.apache.org>
>Sent: Monday, December 16, 2002 12:58 PM
>Subject: Invalidate Session Problem
>
>
>> Hello,
>>
>> I want to thanks the help for the other problem and ask
>> another thing.
>> It is about invalidating a session.
>>
>> While I was using the FORM to log into the apps I was
> able
>> to invalidate my session, but now I am using the BASIC
> and
>> it is not working.
>>
>> I read in some places that it may be a bug, is it and
> how
>> can I invalidate the session with other way?
>>
>> Thanks.
>> Ricardo Costa.
>> ________________________________________________
>> Don't E-Mail, ZipMail! http://www.zipmail.com/
>>
>> --
>> To unsubscribe, e-mail:
><ma...@jakarta.apache.org>
>> For additional commands, e-mail:
><ma...@jakarta.apache.org>
>>
>>
>
>
>--
>To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
>For additional commands, e-mail:
> <ma...@jakarta.apache.org>
>
________________________________________________
Don't E-Mail, ZipMail! http://www.zipmail.com/
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Invalidate Session Problem
Posted by Michael Nicholson <ma...@email.unc.edu>.
>From what I understand, the authorization header using BASIC authentication
has a terrible way of hanging around in most (if not all) browsers. When
you access the protected resource, and the browser receives the
'authentication needed' header, the browser returns whatever it has stored
in its memory (i.e., your last login). I haven't heard of any sure-fire
ways of stopping that, other than to restart the browser.
This isn't, however, quite the same thing as invalidating a session.
Invalidating a session simply means that the container (tomcat) is going to
have to create a new session whenever you use request.getSession() (unless
you use request.getSession(false) which will probably throw an exception) or
browse to a jsp that hasn't been told not to use sessions. And the new
session will have nothing in it that was put in it before the
session.invalidate() call.
I've never really looked at form based authentication; does it possibly
store some sort of user credential in the session, which is therefore
removed when the session is invalidated (effectively removed, anyhow, as I
suppose it's still sitting in that invalidated session until garbage
collection...), forcing another login? But basic authentication, at least
as I understand it, doesn't store it that way. It gets stored in a header,
and in the browser.
Mike
----- Original Message -----
From: <af...@zipmail.com>
To: <to...@jakarta.apache.org>
Sent: Monday, December 16, 2002 12:58 PM
Subject: Invalidate Session Problem
> Hello,
>
> I want to thanks the help for the other problem and ask
> another thing.
> It is about invalidating a session.
>
> While I was using the FORM to log into the apps I was able
> to invalidate my session, but now I am using the BASIC and
> it is not working.
>
> I read in some places that it may be a bug, is it and how
> can I invalidate the session with other way?
>
> Thanks.
> Ricardo Costa.
> ________________________________________________
> Don't E-Mail, ZipMail! http://www.zipmail.com/
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>