> On Thu, 21 Jun 2001, Michael Jennings wrote:
>
> > That's true. The point I was trying to make is that there is nothing to
> > stop an end-user from bookmarking a login page or typing it in
> > directly, even if you have no linkages to the login page in your
> > user interface.
> >
>
> It's kinda hard for them to bookmark the login page when they don't know
> the URL.
>
> Keep in mind that, as far as the browser is concerned, the URL in the
> location is still the page that was originally requested.
> Therefore,
> a bookmark for the login form will actually be to the real page (which
> might again trigger authentication if they have exited and restarted
> before following the bookmark).
Not quite true.
In most cases the login page will not be in the same directory with the
page that needs authentication. If the container does not send a redirect,
but internally displays the login page, all the relative URLs will be
treated by the browser as relatvie to the authenticated page, not the
login page.
Since the spec doesn't mention that the login pages are not allowed to
have relative URLs - I'm not sure it's that easy to implement the form
login without a redirection.
> And (at least for servlet 2.3, but Tomcat 4 doesn't do it right yet), the
> container is supposed to redirect to the originally requested page after
> authentication is completed. The net effect of this is that the URL of
> the login page is never visible to the user, unless you have deliberately
> linked to it in your user interface. That's one of the reasons such links
> should not exist.
Costin
