Andrew Oliver wrote:
Basically, but you missed this:
If you use *form* authentication the password/user isn't cached at the browser. If you use *basic* authentication then it is.
Form authentication is built into Tomcat et al. If you use Basic authentication (aka the little dialog popping up) then it is stored in the browser indefinitely (usually until it is closed).
Workflow of a Form based authentication:
You request a protected page You have no session cookie Tomcat sends you to the authentication form You enter your user and password and click submit It posts to j_security_check action Tomcat sends you a session cookie Tomcat forwards you to the correct page You request another protected page while your cookie is valid Tomcat sends you to the page skipping the rest Your cookie expires or is invalidated, repeat from the top...
Basic Authentication:
Same thing but no form, browser dialog and the BROWSER automatically resends the user id and password when asked. Meaning it never asks again until you close the browser.
Richard O. Hammer wrote:
Is there some way that I can cancel or timeout an HTTP authentication?
I would like to use HTTP authentication to log into my webapp -- first as one user and then as another user -- both from within one running instance of a browser window. But what I have discovered so far seems to suggest that a browser, once logged into a domain, will always continue to send the same authorization header.
_______________________________________________ Juglist mailing list [EMAIL PROTECTED] http://trijug.org/mailman/listinfo/juglist_trijug.org
