Re: formbased authentication: logout ?

[Bill_Fellows/MO/americancentury]

I'm sure others are more knowledgeable, but from what I've been able to observe
(snoop servlet is wonderful), a session must have been created before
authentication.  I'm basing all of my stuff off of my b*stardization of
SimpleRealm, BTW.  Session name is JSESSIONID.  A principal user is defined and
the username and password are stored in the session variable (j_username &
j_password.) upon successful authentication.  A tomcat.auth.originalLocation is
defined if they attempted to access a specific secure part before being
authenticated.  If so, after they authenticate it takes them to that particular
page.

To logout, I have my users hit a servlet (could be a jsp) that goes through all
the cookies and expires them.  Since tomcat can only expire the cookies it
created, you don't have to worry about killing someone else's cookie.  Looking
at my code now, I can't remember if expiring the session takes care of removing
the cookies or not.  At any rate, I think I had trouble getting the
session.invalidate() to work in a jsp (since they create sessions automagically)
so maybe that's why I went to the jsp.  Maybe the invalidate is required to drop
the principal user...  At any rate, I'm going to re-evaluate my code but this
does work.  Enjoy.

/bill

    public void doGet(HttpServletRequest request, HttpServletResponse response)
    throws IOException, ServletException
    {
      if ( request.isRequestedSessionIdValid() )
      {
          HttpSession session = request.getSession(false);
          session.invalidate();
      }
      {
         Cookie BagofGingerSnaps[]  = request.getCookies();
         for (int i = 0; i < BagofGingerSnaps.length ; i++)
         {
            BagofGingerSnaps[i].setMaxAge(0);  //expire all cookies in 0 seconds
            response.addCookie(BagofGingerSnaps[i]);  //replace old cookies with
the new
         }
      }
      response.sendRedirect(stLogoutDestination);

    }//closes doGet




paul marshal <[EMAIL PROTECTED]> on 02/21/2001 09:10:08 AM



Please respond to [EMAIL PROTECTED]

To:   tomcat-list <[EMAIL PROTECTED]>
cc:    (bcc: Bill Fellows/MO/americancentury)
Subject:  formbased authentication: logout ?



How do I create a possibility for my users to logout.
Is there something in the HttpSession that I need to delete ?
Or how does it all work ?

Paul

--
Paul Marshall
[EMAIL PROTECTED]
089/26019-609

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]









---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]