-----------------------------
Please read the FAQ!
<http://java.apache.org/faq/>
-----------------------------
Here is the simple case:
You receive a request. Your servlet decides to invalidate the login for that session.
You return a login page that has the original request as a hidden form field.
When you validate the name and password you send the user on their way.
If real security is an issue you use SSL and the password dialog is just an input so
you don't care about Base64Encode/decode for
the password.
If you want the Basic Authentication dialog (imo it is more elegant):
You receive a request. Your servlet decides to invalidate the login for that session.
You check the Authorization header - if it includes the user name and password then
just return the 401 and WWW-Authenticate header.
The browser should know it just sent the authorization token so it should seek help
from the user by popping the Basic
Authentication dialog.
If all your pages are password protected then this should be the rule and you needn't
go further.
Your problem comes in if the request for which you decide to invalidate the login
didn't include and Authorization header. When you
return the 401 status and WWW-Authenticate header when you get back a response you
won't know whether the user typed it in or
whether the browser returned a cached authentication token. The latter is more likely.
As far a tutorial on this stuff get rfc2068. Also the Jason Hunter book has some in it
as well as a reference to an authorization
token decoder.
HTH
***********************************************************
Brett Knights 626-432-5767 work
[EMAIL PROTECTED] 626-355-1017 home
***********************************************************
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Hasan
> Sent: Sunday, September 26, 1999 6:35 PM
> To: Java Apache Users
> Subject: RE: Gracefully timing-out a user session.
>
>
> -----------------------------
> Please read the FAQ!
> <http://java.apache.org/faq/>
> -----------------------------
>
> > > >Is there a recommended way to terminate a user's session from a
> > > >browser? ... that reprompts with the same AuthName as before?
>
> > I'd think it would be doable but you'd likely have to tune
> it for each
> > browser (and do the research to get the browsers' behaviour)
>
> Uh-oh. That means "ferggedit" doesn't it?
>
> > - then the likely browser specific part and is so likely to be
> > weird that the login screen below is a much more likely to succed
> > option
>
> Did you attach a login sample? I didn't see it. (In fact I
> think this list
> strips them off. No?)
>
> Does any one have a pointer to a good tutorial on this stuff?
>
> I was all set to go from mod_auth to mod_auth_db for MySQL, but
> I'm beginning to think the whole method of using browser based
> security is too limited; but I don't know enough to decide, and
> ultimately I need digitial certificates. What is the right
> way to go?.
>
> If you'll pardon my thinking out loud a bit longer...
>
> I have several HTML frames, each with different possible logins
> (one for getting non-restricted reference data, one for private data,
> and a further one for restricted updates). It seemed like a good
> idea at the time, (and meets spec.), but now when I come to the
> issue of timing out sessions it becomes a nightmare. Larry Singer's
> code frag ...
>
> > resp.setHeader("WWW-Authenticate", "Basic realm=\"AuthName\"");
>
> ... gets me what I asked for; but it only gets me one step
> further into
> what seems like a horrible tangle.
>
> Thanks for the help so far. If I can get a good technique
> I'll post a
> FAQ answer -- I promise.
>
>
> Hasan
> ~~~~~ HASAN BRAMWELL
>
> Address: Casilla 17-17-1004, Quito, Ecuador
> Tel : (593) (2) 372-748
> Internet: [EMAIL PROTECTED]
> or : (593) (9) 722-221
>
>
> --
> --------------------------------------------------------------
> Please read the FAQ! <http://java.apache.org/faq/>
> To subscribe: [EMAIL PROTECTED]
> To unsubscribe: [EMAIL PROTECTED]
> Archives and Other: <http://java.apache.org/main/mail.html>
> Problems?: [EMAIL PROTECTED]
>
>
--
--------------------------------------------------------------
Please read the FAQ! <http://java.apache.org/faq/>
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Archives and Other: <http://java.apache.org/main/mail.html>
Problems?: [EMAIL PROTECTED]
