Your best bet when dealing with authentication and users not logging off is to also include a session expiry for your page. This handles the case where a user leaves without logging off.
-Hakan -----Original Message----- From: Jon Wingfield [mailto:[EMAIL PROTECTED] Sent: Monday, September 22, 2003 6:25 AM To: Tomcat Users List Subject: Re: Can JSP track users in a basic authentication protected realm ? You could possibly track the "referer" header of the request. If the referer is a site outside your protection domain then re-authenticate. This could be done in a filter: Check the header, log out the user, redirect to the requested page to trigger re-authentication. This technique assumes the "referer" header has been set by the browser. As it's not a mandatory header you may not always get it: http://www.w3.org/Protocols/rfc2616/rfc2616.txt Specifically section 14.36 Referer HTH, Jon David wrote: > Actually I do not know how to do it. I know those internet banking sites > does it. They have this option of "Log out" for their users. When users > click on that "log out" option, they will in effect log out of the > protected realm. Should they decide to return to the same site again ( > using the same instance of the IE) they will prompted for the password > and ID again. > > Currently, with basic authentication ( implemented using HTTP SERVER) > the server does not recognise if the user has moved onto another site > outside the protected realm. If he decides to surf an area outside the > protected realm, and decides to return to the protected realm, he will > not be prompted for a password. > > This problem arise when the computer being used to access my protected > realm is a public computer. If that is the case, users who enter my > protected realm and forgot to terminate that instance of the IE is going > to allow subsequent users of that machine to access my site. > > My question is how can I implement such a way as mentioned above ? > The "log out" button kind of effect. > > Many thanks. > > Regards > David > > > -----Original Message----- > From: George Sexton [mailto:[EMAIL PROTECTED] > Sent: Sunday, September 21, 2003 12:47 AM > To: 'Tomcat Users List' > Subject: RE: Can JSP track users in a basic authentication protected > realm ? > > Can you explain how Tomcat will be able to tell whether the user has > navigated away and returned, versus just taken some period of time > before getting the next page? > > -----Original Message----- > From: David [mailto:[EMAIL PROTECTED] > Sent: Saturday, September 20, 2003 9:56 AM > To: Tomcat User > Subject: Can JSP track users in a basic authentication protected realm ? > > > > Hi guys, > > Does anyone know how I can implement the above mentioned? > Once they exit the protected realm (i.e. the protected folder in my > htdocs), when they re-enter the site again they will be asked for a > password. I have a simple basic authentication system but it doesn't > track the user when it leaves the protected realm. What I wanted to do > was to get the server to re-authenticate the user everytime he leaves my > realm and tries to re-enter again. > > > Some people suggested CGI, some suggest PHP.. > > I would like to know if JSP can do the job. If yes, what level of > competence do I know JSP ? > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]