Richard O. Hammer wrote:Of course a server-side Java programmer can bypass HTTP authentication and write his own authentication code which keeps its stuff in a session, a session which can be timed out or invalided at the server-side programmer's will.
Yup. Most web-based apps do this. Very few use the HTTP-based authentication method.
Do very few Java web apps use HTTP-based authentication because it so flaky as to be almost useless for any serious application?
_______________________________________________ Juglist mailing list [EMAIL PROTECTED] http://trijug.org/mailman/listinfo/juglist_trijug.org
