On Thu, 21 Jun 2001, Michael Jennings wrote:
> > Why is the button there at all? There should be zero linkages to the
> > login page from *anywhere* in your user interface.
>
> That's true. The point I was trying to make is that there is nothing to
> stop an end-user from bookmarking a login page or typing it in
> directly, even if you have no linkages to the login page in your
> user interface.
>
It's kinda hard for them to bookmark the login page when they don't know
the URL.
Keep in mind that, as far as the browser is concerned, the URL in the
location is still the page that was originally requested. Therefore, a
bookmark for the login form will actually be to the real page (which might
again trigger authentication if they have exited and restarted before
following the bookmark).
And (at least for servlet 2.3, but Tomcat 4 doesn't do it right yet), the
container is supposed to redirect to the originally requested page after
authentication is completed. The net effect of this is that the URL of
the login page is never visible to the user, unless you have deliberately
linked to it in your user interface. That's one of the reasons such links
should not exist.
> > NOTE: If you don't like the philosophy of form-based login, the
> > appropriate forum is the feedback address for the servlet spec
> > ([EMAIL PROTECTED]), because that is where the requirements
> > for how Tomcat works are defined.
> >
> > Craig
>
> Thanks! I'll forward my suggestion on to them.
> -Mike
>
>
Craig
