Duane Murphy wrote:
> > Date: Fri, 4 Jun 1999 21:46:44 +0100
> > From: Nic Ferrier <[EMAIL PROTECTED]>
> > Subject: Re: Http Basic Re-Authentication
> >
> > The short answer is that you can't do this.
> >
> > Once a browser has been authenticated then it is authenticated until
> > the server sends an SC_UNAUTHORIZED response or the browser has been
> > closed and restarted.
> >
> > The long answer is that you can do this, if you have your users
> > specifically log out.
> >
> > To do this you need to associate users with sessions and do
> > authentication based on whether the session is valid or not.
> >
> > If the session is valid (ie: the user has logged on correctly) then
> > you return the 200 response.
> >
> > If the session is invalid, or non-existant then you can return
> > UNAUTHORIZED.
> >
> > That should do it.
>
> What neither of the responses that say to use sessions mentions is that using
>sessions implies using
> Cookies. If I can use Cookies that I dont need authentication (this is what we
>already do).
>
That is not strictly correct ... sessions can also be maintained by using URL
rewriting. This works even if the user's browser has cookies turned off, but requires
you to encode all of your
hyperlinks (see HttpServletResponse.encodeURL()).
>
> The point of authentication, should be to get away from cookies (at least in my
>mind). We only use
> cookies/sessions to identify the user. The users state information is always kept on
>the server (ie
> lite cookies).
>
> Not being able to unauthenticate is a real drag - and it seems an oversight in the
>protocol. Maybe
> there is some state process that can cause a normal unauthorized response to make
>sure that it gets
> re authorized. Is there no other data associated with the authorization that could
>be used? One
> thought that seems kind of whacky is changing realms on the user.
>
> Any additional ideas are of great interest.
>
If you are talking about web server authentication, just send an
HttpServletResponse.SC_UNAUTHORIZED status back after you have decided that the user
has logged off.
A different approach to the whole situation is to not rely on web server basic
authentication at all, and just do it yourself with servlets. An example of this
technique is at the Java
Developer's Connection web site (http://developer.javasoft.com).
Craig McClanahan
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
