The best way to prevent abuse of an idle authenticated browser window is a screensaver with password lock -- as it protects the rest of the computer, the documents thereon, etc.
The only really good case for a logout is where you have a shared computer with many different users coming and going -- and all using a single "guest" account on the client itself rather than separate logins. In this case a "logoff" button that closed down the browser would not be a half bad idea :-)
-- Jess Holle
P.S. Yes, I know transfering the name/password only on initial authentication and using a session key of some sort from thereon out is fractionally more secure -- but you still need HTTPS to really be secure in either case.
Robert Harper wrote:
If you read the docs on BASIC authentication, you will find that the browser caches the login information and will provide it every time you return to that site. The way to log out is to close the browser. Apparently this has been a problem for web developers for some time. Browser developers have not seen this as a problem. Instead they seem to feel that the caching is a benefit to the user by not requiring them to renter the same information.
Robert S. Harper
801.265.8800 ext. 255
[EMAIL PROTECTED]
-----Original Message-----
From: Robert r. Sanders [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 20, 2005 10:07 AM
To: Tomcat Users List
Subject: Re: Can't do logout in basic authentication
You can try google: http://www.modpython.org/pipermail/mod_python/2001-August/012120.html
Otgonbayar wrote:
I am using basic authentication in my application and I need to create
logout link in my JSP that does LOGOUT. It seems session.invalidate() doesn't work.
How can I do this? Please help me!
Thanks
Otgo
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
