>>> "Craig R. McClanahan" <[EMAIL PROTECTED]> 6/6/99 6:13:18
AM >>>
>A different approach to the whole situation is to not rely on web
server basic authentication at all, and just do >it yourself with
servlets. An example of this technique is at the Java
>Developer's Connection web site (http://developer.javasoft.com).
I'm not sure what craig means here, I think you probably are already
using a servlet based authentication system.
If he can clarify or point us to the article on Java dev con then I
would be grateful.
>> The point of authentication, should be to get away from cookies
(at least in my mind). We only use
>> cookies/sessions to identify the user. The users state information
is always kept on the server (ie
>> lite cookies).
As Craig said, this is wrong. Why should authentication get you away
from cookies?
Ok, if you don't want to use Cookies then use session url
re-writing.
Authentication Cannot Replace Sessions
Partly because authentication doesn't usually time out, though you
could make it time out.
Mainly because a user could log on to 2 machines and you wouldn't be
able to uniquely identify each session.
Of course you may not need to do this. But it is important.
Original Problem
You don't have to use a session to signal a change in
authentication.
If you read my original mail carefully you will see that all you need
to do is send UNAUTHORIZED response.
All you need to do is get the servlet into a _state_ whereby it sends
this response.
I would suggest that the best way to do this is have authorized users
log out and use a timer to ensure that users don't leave their
accounts logged in forever.
The timer could either be passed backwards and forwards to the
browser as a request parameter
Or it could be an internal timer operating on the validity of an
internal session-like object (not actually a session).
This is all terribly easy.
But Sessions Are A Good Idea
It's even easier though if you use sessions - this is one of the
reasons they're in the API.
Nic Ferrier
Tapsell-Ferrier Ltd
www.tapsellferrier.co.uk
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
