the remote user is http protocol specific. It does not use anything in the users session.
If you want to log out a user who has used basic auth you need to send them a page with a status of not authorised. The browser will then get the message that the user is 'logged out' Hope this helps ! Of course basic auth isn't very secure as the users username/password gets passed in the clear on every transfer... D [EMAIL PROTECTED] wrote: > Hi! > > I have understood that logging out the current user should be done by > calling > > session.invalidate() > > .. however, this does not seem to work: the session is emptied, but for > instance request.getRemoteUser() will still return the same user as > before invalidation.. > > Is this a Tomcat bug or have I misunderstood something here? > > I'm using Tomcat 4.0.1 and HTTP basic authenticationg without SSL. > > Thanks in advance. > > -juha- > > -- > To unsubscribe: <mailto:[EMAIL PROTECTED]> > For additional commands: <mailto:[EMAIL PROTECTED]> > Troubles with the list: <mailto:[EMAIL PROTECTED]> -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
