Adding objects:
HttpSession session = request.getSession();
session.setAttribute("foo", "Foo");
If at some point in your code, you want to "log out" a user,
session.invalidate();
Then when they request a protected resouce , the container "ought" to
re-authenticate them through FORM auth, because the session is where the
container "ought" to store this info. But Again, I don't *know* this
for certain.
There are plenty of other methods of interest on session. You might
also read the javadocs for request.getSession() and the differences when
you supply a boolean parameter in that method.
The jsession_id in your addressbar means only that the server cannot
determine (yet) if cookies are enabled on your client, and has
re-written the URL to contain the (in your case new) session id. Once
cookies are confirmed, the URL is no longer rewritten, unless you
container supports a configuration where URL rewriting is *always* done
(like iPlanet).
> -----Original Message-----
> From: Rick Roberts [mailto:[EMAIL PROTECTED]
> Sent: Thursday, July 10, 2003 12:56 PM
> To: Tomcat Users List
> Subject: Re: JDBCRealm - Session not timing out
>
>
> > I'm not entirely sure about Form AUTH, but Basic AUTH doesn't use
> > sessions. The browser caches the login information provided and
> > re-sends it on each request. So, there is no real "time
> out" for Basic
> > AUTH. The only equivalent would be to close all open
> browsers. This
> > deletes the cache of the Basic AUTH credentials forcing the user to
> > re-enter it once a new browser is opened and the protected
> web site is
> > re-visited.
>
> And that is exactly why Basic AUTH is unacceptable. The only
> way to login-in
> with different user credentials is to kill all instances of
> your browser.
>
> I have seen references (hints) about invalidating the session
> to force a
> re-login. However; I can not find any information that
> explains how / when the
> session is created or how I can use that session.
>
> (I use frequently use session objects and am familiar with
> how they work, but
> using JDBCRealm is new to me)
>
> When I set up for Form AUTH and navigate to the test URL, I
> see the following:
>
http://localhost/hd/login.jsp;jsessionid=9385A2CD74946FCFF922CC327699E22
E
Which seems to indicate that a session has been created.
Now, if it has been created, how can I use it? I would like to add my
objects
to the session object.
--
*******************************************
* Rick Roberts *
* Advanced Information Technologies, Inc. *
*******************************************
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
