raj wrote: > I have set the session expiry time in my Test > servlet to 10 secs (BASIC auth., using JDBC realm). > > But when I type in the URL in the browser > (IE5/6, Mozilla, Netscape 4.x etc), the login window > does not reappear but request goes straight to the > servlet in question. > > I even tried to invalidate the session cookie using a "logout" link > in the tes servlet, but to no avail. > > Only if the browser is destroyed does the login window reappear. > > Any idea to force a login after a certain interval of time? > > Cheers > -raj
If you are using BASIC authentication, then your browser will send your credentials with every request. There's no way to 'log off' short of closing the browser. If in the mean time the session has died at the server end, the server will see a new request with correct credentials and create a new session (Test this by putting a session.getId() in your jsp or servlet somewhere) . Since the browser already gave the credentials, no login screen will be shown. Try the same using FORM-based authentication. In that case the session-id is either stored in a cookie or encoded in the url. If the session dies at the server, a request will have an invalid session-id and the user will be prompted for his username/password again. It is possible to switch to FORM-based login without changing anything in your web-app. Simply create a page with the correct <FORM> and <INPUT> elements and modify your web.xml The user-experience stays the same: When the user access any url in the protected area, the login page will pop up and after he provides correct information he will be directed to the page he requested. For Tomcat 3, just make sure the login page is outside the protected area, for tomcat 4 it does not matter. Luc Vanlerberghe
