You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Kirk, Laurence" <la...@jpmorgancazenove.com> on 2008/12/19 13:14:46 UTC
Clearing login details from browser
I have apache acting as a proxy and providing authentication to a
JBoss application server . I time out sessions in JBoss but I think the
browser is storing the login details as the user can carry on without
having to log in again.
Is there a way to force the browser to delete login details , or for
apache to force reauthentication when there is a new session ?
Has anyone else come across this situation ?
Thanks,
Laurence
This e-mail is confidential and is for the addressee only. Please refer to www.jpmorgancazenove.com/disclaimers/jpmorgancazenove.htm for important disclaimers and the firm's regulatory position.
Re: Clearing login details from browser
Posted by Sheldon Ross <sr...@simmgene.com>.
IMHO The JBOSS application should probably be handling the logins, if
this application is very sophisticated.
How are you handling sessions?
On Fri, 2008-12-19 at 13:06 +0000, Tom Evans wrote:
> On Fri, 2008-12-19 at 12:14 +0000, Kirk, Laurence wrote:
> > I have apache acting as a proxy and providing authentication to a
> > JBoss application server . I time out sessions in JBoss but I think
> > the browser is storing the login details as the user can carry on
> > without having to log in again.
> >
> > Is there a way to force the browser to delete login details , or for
> > apache to force reauthentication when there is a new session ?
> >
> > Has anyone else come across this situation ?
> >
> > Thanks,
> > Laurence
> >
> > This e-mail is confidential and is for the addressee only. Please
> > refer to www.jpmorgancazenove.com/disclaimers/jpmorgancazenove.htm for
> > important disclaimers and the firm's regulatory position.
>
> If you mean "is there a way to clear basic auth settings from the
> browser", then yes, you can send a 403 response. Once a browser receives
> a 403, it forgets any authorization it knew from the same realm, and
> prompts the user for new credentials. If it receives a 2XX or 3XX in
> response, the browser then remembers those credentials and sends them
> along with all other requests to the same server, until it receives a
> 403 response.
>
> If you mean "can I make the browser forget 'remembered passwords'", then
> no, you cant do anything about that. You could be logging them out, they
> try to access something, apache prompts for basic auth, and the user's
> browser just resupplies the saved information. That is perfectly valid,
> and beyond your control.
>
> Cheers
>
> Tom
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Clearing login details from browser
Posted by Tom Evans <te...@googlemail.com>.
On Fri, 2008-12-19 at 12:14 +0000, Kirk, Laurence wrote:
> I have apache acting as a proxy and providing authentication to a
> JBoss application server . I time out sessions in JBoss but I think
> the browser is storing the login details as the user can carry on
> without having to log in again.
>
> Is there a way to force the browser to delete login details , or for
> apache to force reauthentication when there is a new session ?
>
> Has anyone else come across this situation ?
>
> Thanks,
> Laurence
>
> This e-mail is confidential and is for the addressee only. Please
> refer to www.jpmorgancazenove.com/disclaimers/jpmorgancazenove.htm for
> important disclaimers and the firm's regulatory position.
If you mean "is there a way to clear basic auth settings from the
browser", then yes, you can send a 403 response. Once a browser receives
a 403, it forgets any authorization it knew from the same realm, and
prompts the user for new credentials. If it receives a 2XX or 3XX in
response, the browser then remembers those credentials and sends them
along with all other requests to the same server, until it receives a
403 response.
If you mean "can I make the browser forget 'remembered passwords'", then
no, you cant do anything about that. You could be logging them out, they
try to access something, apache prompts for basic auth, and the user's
browser just resupplies the saved information. That is perfectly valid,
and beyond your control.
Cheers
Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Clearing login details from browser
Posted by André Warnier <aw...@ice-sa.com>.
Kirk, Laurence wrote:
[...]
I think the problem may have to do with the current financial meltdown.
Once a browser gets hold of a financial institution that actually
responds, it just doesn't want to let go of it.
;-)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org