Chris,
Christopher Schultz wrote:
...
Why do you think that HttpSession.invalidate() should act as a log out
mechanism when using CLIENT-CERT authentication?
I guess that where the OP (and I) get a little confused is in the distinction between the
state of "having a session" and "being logged-in", and maybe the sequence in which these
things happen.
But we are willing to be educated (or at least I am) (and the other thread you mention is
not really very explcit in that respect).
So let's say
1) a browser sends a first request to Tomcat, and this happens to be directed to an
application which requires authentication (container-driven).
2) Tomcat intercepts the request (because of the authentication requirement), sends back
something to the browser which tells the browser (or the user) to supply credentials.
3) the browser (or the user) supplies the credentials along with a subsequent
request
4) Tomcat intercepts this again, verifies the credentials, and if they "fit", allows the
request (now "authenticated") to proceed to the application which had been requested in
the first place.
(and I know that there is some variety in the above, depending on the type of
authentication, but roughly that's it, no ?)
5) then the request hits the application, and it is the application which "decides" if a
session is created or not. Yes ?
And if it decides so, this creates some storage place for this "session thing", and makes
it so that a cookie will later be sent back to the browser, with an id pointing to this
session storage thing, so that a subsequent request which provides this cookie, allows the
application to retrieve the saved session and its contents prior to handling the next request.
Now what is maybe less clear, is whether the "session thing" which was created, contains
or not the authentication data.
And if yes : a "session invalidate" should delete the "session thing" (and the contained
authentication info), and this should have the effect that when the browser sends a
subsequent request, it will find a "no session yet" situation.
Obviously though, "no session" does not necessarily mean "not authenticated", but this is
I believe where the OP (and I) are getting confused.
Can you enlighten us ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
