> Date: Fri, 4 Jun 1999 21:46:44 +0100
> From: Nic Ferrier <[EMAIL PROTECTED]>
> Subject: Re: Http Basic Re-Authentication
>
> The short answer is that you can't do this.
>
> Once a browser has been authenticated then it is authenticated until
> the server sends an SC_UNAUTHORIZED response or the browser has been
> closed and restarted.
>
> The long answer is that you can do this, if you have your users
> specifically log out.
>
> To do this you need to associate users with sessions and do
> authentication based on whether the session is valid or not.
>
> If the session is valid (ie: the user has logged on correctly) then
> you return the 200 response.
>
> If the session is invalid, or non-existant then you can return
> UNAUTHORIZED.
>
> That should do it.
What neither of the responses that say to use sessions mentions is that using sessions
implies using
Cookies. If I can use Cookies that I dont need authentication (this is what we already
do).
The point of authentication, should be to get away from cookies (at least in my mind).
We only use
cookies/sessions to identify the user. The users state information is always kept on
the server (ie
lite cookies).
Not being able to unauthenticate is a real drag - and it seems an oversight in the
protocol. Maybe
there is some state process that can cause a normal unauthorized response to make sure
that it gets
re authorized. Is there no other data associated with the authorization that could be
used? One
thought that seems kind of whacky is changing realms on the user.
Any additional ideas are of great interest.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
ClueIn - The Internet's FREE Community Service.
Go to http://www.cluein.com and experience the most dynamic way to communicate with
groups of people! You are limited only by your imagination. This service is yours to
use free. Clue in now.
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
