Hi, The Servlet 2.4 spec includes HttpSession.logout().
My question is, how should Tomcat handle a logout() when the webapp is using "Basic Authentication" ? Basic Authentication is described in http://www.ietf.org/rfc/rfc2617.txt Chapter 2. My assertion is: Once a remote user has logged in once using Basic Authentication, there is no way to log them out. (In most cases, they need to close their browser to effect a logout.) When receiving a request, Tomcat cannot tell if a user was asked to login or not. A page load and a login are identical. Some have suggested attempting "tricking" the remote user into relogging in by re-challenging the user. The problem with this approach is that the protocol doesn't allow us to differentiate between a request that is coming from a "newly challenged" client or "challenged previously" client. Some have suggested sending a cookie along with the challenge and using them together to authenticate the re-login. This might work. It depends on whether the browser accepts the cookie right away or not. If the cookie is accepted immediately by the browser and the user ignores the login dialog (or dismisses it) the new cookie could be set. This would put us back at being unable to identify if a request is a "relogin" or a "page load." My current plan is to; 1. verify that the "new coookie" approach doesn't work 2. dig up some history on why "Basic Authentication" is so broken (early protocol addition?) 3. suggest a language change to the Servlet 2.4 spec. something like adding to the logout() section, "If the container is authenticating using Basic Authentication (thus the authentication state is stored on the browser), logout() must only invalidate the user's session (or if using SingleSignOn, all the users sessions.) " Cheers, -bob -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
