You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by kevin ritter <ke...@jcafeinc.com> on 2001/11/15 01:41:01 UTC
Re: Logout with basic autorization
Can anyone one verify if this is really the case, that is, to logout with
BASIC authentication you have to close the browser window? This seems to be
a little goofy. Are there any work arounds?
Thank you in advance. Peace
Kevin Ritter
----- Original Message -----
From: "Jonathan Eric Miller" <je...@uchicago.edu>
To: <to...@jakarta.apache.org>
Sent: Wednesday, September 19, 2001 8:58 PM
Subject: Re: Logout with basic autorization
> The only way to logout with basic authentication is to close the Web
> browser. Otherwise, you may want to do form-based authentication.
>
> Jon
>
> ----- Original Message -----
> From: "Oleksandr Fedorenko" <ma...@intercollab.kiev.ua>
> To: <to...@jakarta.apache.org>
> Sent: Wednesday, September 19, 2001 8:43 AM
> Subject: Re: Logout with basic autorization
>
>
> >
> >
> > "P.Miller" wrote:
> >
> > > Hi Oleksandr,
> > >
> > > you can 'logout' with session.invalidate().
> > > You have to login again afterwards.
> > >
> >
> > I do it exactly.
> >
> > But Browser already contains information for authentication, and when I
> want
> > to access
> > protected page ( I want to get auth prompt ) , it pass it by.
> >
> > >
> > > Hth
> > > Peter
> > >
> > > Oleksandr Fedorenko wrote:
> > > >
> > > > Hi.
> > > >
> > > > How to do really logout using basic authorization ?
> > > >
> > > > I mean to get authorization prompt again by using tomcat engine ? ,
> i.e.
> > > >
> > > > tomcat should care about it . To send smth. in response ?
> > > > If yes, so what to send ?
> > > >
> > > > Thanks.
> > > >
> > > > Alex.
> >
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>
Re: Logout with basic autorization
Posted by kevin ritter <ke...@jcafeinc.com>.
Thanks for responding; however, I'm already calling session.invalidate() as
show below:
<%@ page language="java" import="com.jcafeinc.learningCenter.users.*" %>
<%@ include file="global-header.jsp" %>
<html>
<body background="images/icon-background.jpg" bgcolor="000000" link="ffffff"
vlink="ffffff" alink="ffffff" text="ffffff"
style="border-width=0;margin-top=0;margin-left=0;margin-right=0">
<%request.getSession().invalidate();
RequestDispatcher rd =
getServletContext().getRequestDispatcher("/index2.jsp");
rd.forward(request, response);%>
</body>
</html>
Any more suggestions would be greatly appreicated.
Kevin
----- Original Message -----
From: "Tom Drake" <rt...@pobox.com>
To: "Tomcat Users List" <to...@jakarta.apache.org>; "kevin ritter"
<ke...@jcafeinc.com>
Sent: Wednesday, November 14, 2001 7:26 PM
Subject: Re: Logout with basic autorization
> I think your servlet or jsp can simply call session.invalidate().
>
>
> ----- Original Message -----
> From: "kevin ritter" <ke...@jcafeinc.com>
> To: <to...@jakarta.apache.org>
> Sent: Wednesday, November 14, 2001 4:41 PM
> Subject: Re: Logout with basic autorization
>
>
> | Can anyone one verify if this is really the case, that is, to logout
with
> | BASIC authentication you have to close the browser window? This seems to
> be
> | a little goofy. Are there any work arounds?
> |
> | Thank you in advance. Peace
> | Kevin Ritter
> |
> | ----- Original Message -----
> | From: "Jonathan Eric Miller" <je...@uchicago.edu>
> | To: <to...@jakarta.apache.org>
> | Sent: Wednesday, September 19, 2001 8:58 PM
> | Subject: Re: Logout with basic autorization
> |
> |
> | > The only way to logout with basic authentication is to close the Web
> | > browser. Otherwise, you may want to do form-based authentication.
> | >
> | > Jon
> | >
> | > ----- Original Message -----
> | > From: "Oleksandr Fedorenko" <ma...@intercollab.kiev.ua>
> | > To: <to...@jakarta.apache.org>
> | > Sent: Wednesday, September 19, 2001 8:43 AM
> | > Subject: Re: Logout with basic autorization
> | >
> | >
> | > >
> | > >
> | > > "P.Miller" wrote:
> | > >
> | > > > Hi Oleksandr,
> | > > >
> | > > > you can 'logout' with session.invalidate().
> | > > > You have to login again afterwards.
> | > > >
> | > >
> | > > I do it exactly.
> | > >
> | > > But Browser already contains information for authentication, and
when
> I
> | > want
> | > > to access
> | > > protected page ( I want to get auth prompt ) , it pass it by.
> | > >
> | > > >
> | > > > Hth
> | > > > Peter
> | > > >
> | > > > Oleksandr Fedorenko wrote:
> | > > > >
> | > > > > Hi.
> | > > > >
> | > > > > How to do really logout using basic authorization ?
> | > > > >
> | > > > > I mean to get authorization prompt again by using tomcat engine
?
> ,
> | > i.e.
> | > > > >
> | > > > > tomcat should care about it . To send smth. in response ?
> | > > > > If yes, so what to send ?
> | > > > >
> | > > > > Thanks.
> | > > > >
> | > > > > Alex.
> | > >
> |
> |
> | --
> | To unsubscribe: <ma...@jakarta.apache.org>
> | For additional commands: <ma...@jakarta.apache.org>
> | Troubles with the list: <ma...@jakarta.apache.org>
> |
> |
> |
>
>
> --
> To unsubscribe: <ma...@jakarta.apache.org>
> For additional commands: <ma...@jakarta.apache.org>
> Troubles with the list: <ma...@jakarta.apache.org>
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>
Re: Logout with basic autorization
Posted by Tom Drake <rt...@pobox.com>.
I think your servlet or jsp can simply call session.invalidate().
----- Original Message -----
From: "kevin ritter" <ke...@jcafeinc.com>
To: <to...@jakarta.apache.org>
Sent: Wednesday, November 14, 2001 4:41 PM
Subject: Re: Logout with basic autorization
| Can anyone one verify if this is really the case, that is, to logout with
| BASIC authentication you have to close the browser window? This seems to
be
| a little goofy. Are there any work arounds?
|
| Thank you in advance. Peace
| Kevin Ritter
|
| ----- Original Message -----
| From: "Jonathan Eric Miller" <je...@uchicago.edu>
| To: <to...@jakarta.apache.org>
| Sent: Wednesday, September 19, 2001 8:58 PM
| Subject: Re: Logout with basic autorization
|
|
| > The only way to logout with basic authentication is to close the Web
| > browser. Otherwise, you may want to do form-based authentication.
| >
| > Jon
| >
| > ----- Original Message -----
| > From: "Oleksandr Fedorenko" <ma...@intercollab.kiev.ua>
| > To: <to...@jakarta.apache.org>
| > Sent: Wednesday, September 19, 2001 8:43 AM
| > Subject: Re: Logout with basic autorization
| >
| >
| > >
| > >
| > > "P.Miller" wrote:
| > >
| > > > Hi Oleksandr,
| > > >
| > > > you can 'logout' with session.invalidate().
| > > > You have to login again afterwards.
| > > >
| > >
| > > I do it exactly.
| > >
| > > But Browser already contains information for authentication, and when
I
| > want
| > > to access
| > > protected page ( I want to get auth prompt ) , it pass it by.
| > >
| > > >
| > > > Hth
| > > > Peter
| > > >
| > > > Oleksandr Fedorenko wrote:
| > > > >
| > > > > Hi.
| > > > >
| > > > > How to do really logout using basic authorization ?
| > > > >
| > > > > I mean to get authorization prompt again by using tomcat engine ?
,
| > i.e.
| > > > >
| > > > > tomcat should care about it . To send smth. in response ?
| > > > > If yes, so what to send ?
| > > > >
| > > > > Thanks.
| > > > >
| > > > > Alex.
| > >
|
|
| --
| To unsubscribe: <ma...@jakarta.apache.org>
| For additional commands: <ma...@jakarta.apache.org>
| Troubles with the list: <ma...@jakarta.apache.org>
|
|
|
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>
Re: Logout with basic autorization
Posted by Fredrik Westermarck <fr...@mdh.se>.
kevin ritter wrote:
>
> Can anyone one verify if this is really the case, that is, to logout with
> BASIC authentication you have to close the browser window? This seems to be
> a little goofy. Are there any work arounds?
The troubles of revoking user credentials when using HTTP-authentication
is documented in the HTTP/1.1 specification (probably 1.0) under
http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html#sec15.6.
The only reliable way of logging out when you have been authenticated
(if using HTTP-authentication) is to close _all_ of your browser
windows.
--
Fredrik Westermarck
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>
Re: Logout with basic autorization
Posted by Marko Asplund <as...@kronodoc.fi>.
On Thu, 15 Nov 2001, kevin ritter wrote:
> Thank you for your quick response; however, I have a follow on question
> regarding BASIC authentication and WebDAV. If I implement FORM based
> authentication will I still be able to drag and drop folders using Slide's
> WebDAV capabilities and perform File | Open | Open as Web Folder from
> Internet Explorer. Exactly how will that work?
to my understanding most of the WebDAV clients for MS Windows only support
HTTP Basic Authentication though the WebDAV spec strongly recommends
implementing other schemes like Digest Authentication.
--
aspa
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>
Re: Logout with basic autorization
Posted by kevin ritter <ke...@jcafeinc.com>.
Thank you for your quick response; however, I have a follow on question
regarding BASIC authentication and WebDAV. If I implement FORM based
authentication will I still be able to drag and drop folders using Slide's
WebDAV capabilities and perform File | Open | Open as Web Folder from
Internet Explorer. Exactly how will that work?
As always thanks in advance.
Kevin
----- Original Message -----
From: "Craig R. McClanahan" <cr...@apache.org>
To: "Tomcat Users List" <to...@jakarta.apache.org>; "kevin ritter"
<ke...@jcafeinc.com>
Sent: Wednesday, November 14, 2001 7:53 PM
Subject: Re: Logout with basic autorization
>
>
> On Wed, 14 Nov 2001, kevin ritter wrote:
>
> > Date: Wed, 14 Nov 2001 18:41:01 -0600
> > From: kevin ritter <ke...@jcafeinc.com>
> > Reply-To: Tomcat Users List <to...@jakarta.apache.org>,
> > kevin ritter <ke...@jcafeinc.com>
> > To: tomcat-user@jakarta.apache.org
> > Subject: Re: Logout with basic autorization
> >
> > Can anyone one verify if this is really the case, that is, to logout
with
> > BASIC authentication you have to close the browser window? This seems to
be
> > a little goofy. Are there any work arounds?
> >
>
> As far as I know, this is correct. The problem is that when you are using
> BASIC authentication, the browser sends the credentials on every request,
> and I don't know of any way to tell it to stop doing so.
>
> If you use form-based login, invalidating the session is all that is
> required to log the user off.
>
> > Thank you in advance. Peace
> > Kevin Ritter
>
> Craig
>
>
> --
> To unsubscribe: <ma...@jakarta.apache.org>
> For additional commands: <ma...@jakarta.apache.org>
> Troubles with the list: <ma...@jakarta.apache.org>
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>
Re: Logout with basic autorization
Posted by Marko Asplund <as...@kronodoc.fi>.
On Wed, 14 Nov 2001, Craig R. McClanahan wrote:
> ...
> As far as I know, this is correct. The problem is that when you are using
> BASIC authentication, the browser sends the credentials on every request,
> and I don't know of any way to tell it to stop doing so.
there's no way of reliably implementing logout with HTTP Basic
authentication. you could always "fake" a password mismatch on the server
side after logout but this would not change the fact that the browser
already knows the password. another possibility would be to change the
name of the authentication realm dynamically for the logged-out user. the
aim being that the browser wouldn't be able to associate the password for
the site anymore but browsers seem to associate passwords to URLs and
ignore the realm name.
the basic authentication scheme just wasn't designed with sessions in
mind.
--
aspa
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>
Re: Logout with basic autorization
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Wed, 14 Nov 2001, kevin ritter wrote:
> Date: Wed, 14 Nov 2001 18:41:01 -0600
> From: kevin ritter <ke...@jcafeinc.com>
> Reply-To: Tomcat Users List <to...@jakarta.apache.org>,
> kevin ritter <ke...@jcafeinc.com>
> To: tomcat-user@jakarta.apache.org
> Subject: Re: Logout with basic autorization
>
> Can anyone one verify if this is really the case, that is, to logout with
> BASIC authentication you have to close the browser window? This seems to be
> a little goofy. Are there any work arounds?
>
As far as I know, this is correct. The problem is that when you are using
BASIC authentication, the browser sends the credentials on every request,
and I don't know of any way to tell it to stop doing so.
If you use form-based login, invalidating the session is all that is
required to log the user off.
> Thank you in advance. Peace
> Kevin Ritter
Craig
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>