Once authentication has happened, knowledge of this authentication is kept in the client, not the server. The client communicates authentication data to the server on each request in the authorization header of the HTTP request. HTTP authentication probably never times out, but that's up to the client.
Under the common browser implementations, the authentication is reset when you close the browser.
A session (with data kept on the server) can be invalidated or set to timeout. But this will not affect the authenticated username which will continue to be sent by the client.
Correct.
Of course a server-side Java programmer can bypass HTTP authentication and write his own authentication code which keeps its stuff in a session, a session which can be timed out or invalided at the server-side programmer's will.
Yup. Most web-based apps do this. Very few use the HTTP-based authentication method.
C
-- ------------------------------------------------------------------------- Chris Merrill | http://www.webperformanceinc.com Web Performance Inc. | http://www.webperformancemonitoring.net
Website Load Testing, Stress Testing, and Performance Monitoring Software -------------------------------------------------------------------------
_______________________________________________ Juglist mailing list [EMAIL PROTECTED] http://trijug.org/mailman/listinfo/juglist_trijug.org
