Um not an IBM extension. The servlet spec has session.invalidate() which works with form authentication but just dumps the session cache but not the authentication (which sits in the browser) with basic. > From: Don Brady <[EMAIL PROTECTED]> > Reply-To: "Research Triangle Java User's Group mailing > list."<[EMAIL PROTECTED]> > Date: Sun, 11 Apr 2004 16:25:11 -0400 > To: [EMAIL PROTECTED] > Subject: Re: [Juglist] Re: HTTP authentication -- was too few warnings among > us about bad code > > At 12:42 PM 4/11/2004, Henri Yandell wrote: > >> Apart from being able to integrate the login into the page, what then is >> the advantage of Form Auth over Basic? >> >> Both are basically crap without SSL. The only advantage I can think of for >> Form Auth are that the login process can be over SSL, but then it can move >> out of SSL and rely on Session memory. Which as the session id is in >> either a cookie or the url's would be insecure, though only insecure in a >> session's lifetime. >> >> Useful for big sites where everything in SSL might be a cpu issue, but >> generally it could all just stay in SSL, so why not just use Basic? >> >> Just wondering. I find that the choice is often driven by how the business >> people want it to look. > > > BTW with WebSphere you need to use FormAuth to be able to provide a logoff > page (which invalidates the authorization). I think that this is an IBM > extension though for now. > > > _______________________________________________ > Juglist mailing list > [EMAIL PROTECTED] > http://trijug.org/mailman/listinfo/juglist_trijug.org
_______________________________________________ Juglist mailing list [EMAIL PROTECTED] http://trijug.org/mailman/listinfo/juglist_trijug.org
