-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mitch,
Fisher, Mitchell L wrote: >> Christopher Schultz wrote: >>> When you want to log someone out of BASIC authentication, you >>> have to send a blank "WWW-Authenticate" header to the client, >>> just the same way that Tomcat would do if you weren't already >>> authenticated. > > Could you expand on this? RFC2616 (HTTP/1.1) > (http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.47) says > of the WWW-Authenticate header: > > "The field value consists of at least one challenge that indicates the > authentication scheme(s) and parameters applicable to the Request-URI." > > Which clients would take a null WWW-Authenticate header to mean log out? I think I was a little unclear before. It's not that the client's browser takes a "null" WWW-Auth response to log you out... it's that the presence of this header in the response indicates that any existing WWW-Auth information that had been sent to the server was incorrect. The browser should respond by asking the user for their credentials again. The browser doesn't care if the "old" credentials were perfectly valid, or that the "new" set are actually the same as the old ones. It just knows that receipt of a WWW-Auth header from the server means "any creds you may have sent me are not suitable", and the browser takes appropriate action. The effect is that of being logged-out. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFs8mZ9CaO5/Lv0PARAhlwAJ9A7urPIn0qQHyDFMxthEOL/v42OwCgpJb3 na/I5lwM538I011WKJTzZQI= =+v2+ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
