-----------------------------
Please read the FAQ!
<http://java.apache.org/faq/>
-----------------------------
>
> >Is there a recommended way to terminate a user's session from a
> >browser? ... that reprompts with the same AuthName as before?
I'd think it would be doable but you'd likely have to tune it for each browser (and do
the research to get the browsers' behaviour)
-you'd have some resource (a url) that decides it's time to kill a log-in.
-you'd ignore the Authorization header and return a normal 401 and WWW-Authenticate
header with your AuthName of choice.
-then the likely browser specific part and is so likely to be weird that the login
screen below is a much more likely to succed
option
-- The browser will either automatically send the username and password that it
already has for that realm OR it will have already
sent the authorization token and so will pop a Basic Authentication dialog for the
user.
-- Possibly you should have checked whether the authorization token was sent with
the request to the log in kill page as that may
be a hint as to whether the browser is going to automatically re-send the auth token
or whether it will pop the dialog.
-- You'll likely have to set flags in the servlet session to keep track of where you
are in the process etc.
HTH
Brett Knights
>
> >From my testing the browsers remember these details until the browser
> exits. I have not found a way to force this setting to be
> forgotten by the
> browser or to force the user to re-enter their password. I
> suspect that any
> method would be browser dependant. A better option may be to
> present your
> own login screen.
>
--
--------------------------------------------------------------
Please read the FAQ! <http://java.apache.org/faq/>
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Archives and Other: <http://java.apache.org/main/mail.html>
Problems?: [EMAIL PROTECTED]
