Bob, You are correct that browsers keep passing the user/pass with each request. As for getting the browser to rechallenge, that is very tricky and would be hacky at best.
I would expect that when Basic authentication is used and the last request caused Session.logout() to called, the next request (which will contain a valid user/pass), will effectively log the user in. Trying to make Basic authentication act exactly like FORM authentication is probably not realistic as the display of user/pass input screen is browser dependent. Effectively, the user is silently logging back in with the next visit. I believe that this still complies with the spec. I suspect that the real problem may be that the bug submitter's interpretation of the spec may be a bit inaccurate. Patrick Bob Herrmann wrote: > The JSP spec 2.4 gives us Session.logout(), what do we do when using > Basic authentication? Once challenged, the web browser keeps passing > the user/pass (right?) so any ideas about how to get the browser to > re-challenge the end user? (change the domain?) > > > Cheers, > -bob > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- ________________________________________________________________ Patrick Luby Email: [EMAIL PROTECTED] Sun Microsystems Phone: 408-276-7471 901 San Antonio Road, USCA14-303 Palo Alto, CA 94303-4900 ________________________________________________________________ -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
