Re: Http Basic Re-Authentication

Fri, 4 Jun 1999 12:40:17 -0700 

Well, try this:
1. When the user logs out, after cleanups,
   save in HttpSession under the name
  "ProhibitedAuthHeader" the content of the "Authorisation" header itself.

2. When a request comes:
   - see if there exists a "ProhibitedAuthHeader" within session,
    and if not, go further with normal authorisation/processing.
   - if session contains a "ProhibitedAuthHeader" see if it equals
      with current request's "Authorisation" header and, if yes,
     send again error SC_UNAUTHORISED.
     If the authorisation header is different from session's
    "ProhibitedAuthHeader" then simply go with normal authorisation, and
     if it succeeds then delete "ProhibitedAuthHeader" key from
     session, so it will not bother your code again.

-------
Thus a "logged-out" user will not be able to re-login before
another user logs-in-and-out. This can be a drawback
if he changes its mind, but he will still be able
to wait the session to expire or better just re-start the browser
(to force creation of a new session).

Cezar.

On Fri, 4 Jun 1999, Wallace Neikirk wrote:

> Hi,
> I understand "Basic Http Authenticaiton", e.g.,
>
>       String authHeader = req.getHeader ( "Authorization" );
>       if ( authHeader == null ) {
>          res.setHeader ( "WWW-Authenticate", "Basic
> realm=\"Authentication\"" );
>          res.sendError ( HttpServletResponse.SC_UNAUTHORIZED );
>       }
>
> But, what about "Basic Http Re-Authentication" ...
> What if a user ( a student ) logs off your site,
> then another student steps up to use the same browser.
>
> How do I force the browser to forget the previous student.
> I tried "setHeader("Authentication", null), that didn't work.
>
> Can anyone share the proper technique???
> Thanks.
>
> ___________________________________________________________________________
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> of the message "signoff SERVLET-INTEREST".
>
> Archives: http://archives.java.sun.com/archives/servlet-interest.html
> Resources: http://java.sun.com/products/servlet/external-resources.html
> LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
>

___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".

Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html

Reply via email to