Usually, if you have a webapp where the user logs in using different IDs there will be some sort of logout action that is initiated by the user (clicking logout, etc.) that results in the session being explicitly invalidated. ( request.getSession().invalidate() ) You can save the extra step, from the user's point of view, by having this be the first thing the login screen does if it sees the remnants of an old session (often something like request().getSession().getAttribute("userId") but this will depend on your login code.) Setting the "timeout" on the session doesn't usually help with the problem of multiple userIds from a single browser execution since it makes the invalidation event happen at a somewhat arbitrary time (not likely to be when you need it.)
It occurs to me that I am assuming you are using form-based authentication but I think that this works with basic authentication as well.
I did a bit of Googling for "tomcat session timeout" and for "form-based-authentication servlet" and came up with several threads that seemed useful, notably
http://www.experts-exchange.com/Web/Web_Servers/Apache/Q_20878998.html
http://www.jguru.com/forums/view.jsp?EID=504163
and
http://www.jguru.com/forums/view.jsp?EID=524485
Hope this helps.
Lee
Richard O. Hammer wrote:
Is there some way that I can cancel or timeout an HTTP authentication?
I would like to use HTTP authentication to log into my webapp -- first as one user and then as another user -- both from within one running instance of a browser window. But what I have discovered so far seems to suggest that a browser, once logged into a domain, will always continue to send the same authorization header.
Thanks,
Rich Hammer
_______________________________________________ Juglist mailing list [EMAIL PROTECTED] http://trijug.org/mailman/listinfo/juglist_trijug.org
