In BASIC authentication, the credentials are stored in the web browser and sent when/if requested. So the only way to get rid of those stored credentials is by closing the web browser.
[Of course, when the web server is restarted or web app restarted - I can't recall what happens to the authentication information. ]
-Tim
Adam Hardy wrote:
I am using session.invalidate() to try to cause the user to receive another login request, using CMS form-based authentication.
I saw the same issue in bugzilla but for basic authentication:
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12147
where the tomcat developer/bugzilla person resolved the issue saying that CMS basic authentication cannot be manipulated in this way since the browser sends the login info with every request, requiring the user to close the browser before seeing another login request.
Is this the same for form-based authentication?
I thought that in tomcat4 I was getting new login request for the users just by invalidating their sessions. Am I deluding myself?
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
