This is my experience in WebSphere(Container Managed Security)
WebSphere stores Authenticated credentials in a Cookie (a LTPA Cookie) The other App Servers might implement things differently.
So as long as this cookie is valid then the user would not be challenged again.
So this has got nothing to do with HTTP Sessions!
What did i do?
When a User logs out, i invalidate the HttpSession and i use the IBM Specific Logout mechanism which essentially renders the LTPA cookie invalid.
So if the user accesses a secured page, they would be challenged again.
Having said this, it still doesn't work for BASIC Challenge as Micheal pointed out.
Conclusion: THe idea of HttpSession and Authentication info are essentially different.
HTH Manglu
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
