-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
André,
On 9/17/2011 9:31 AM, André Warnier wrote:
> Christopher Schultz wrote: ...
>
> Thanks for all these explanations. And as an aside :
>
>> The only way to terminate a BASIC login is to issue another 401
>> response,
>
> I did not even know that this worked. Does it really ?
It depends on how the browser reacts. It used to be (but may no longer
be) that any 401 response from the server resulted in a flush of the
credentials sent to the server, which basically re-triggered the
pop-up window asking for your credentials again. Perhaps they cache
the credentials and re-use them if the /new/ ones (after a
401-response/next-request cycle) fail. I would be surprised if it did
that, though.
> Until now, I thought that the only way to get rid of a BASIC
> authentication was to close the browser.
That's the only reliable way to do it.
I did just check on my server to see how things worked-out. I probably
should have done it in Java to make things easier on myself, but I
decided that Apache httpd just /had/ to have what I was looking for to
pull this off in my config file. Alas, I was unable to find a
config-file-only solution so I had to use mod_asis and stick this file
("logout") on my disk:
Status: 401 Unauthorized
WWW-Authenticate: Basic realm="My Realm"
Get lost
- --- cut ---
Making a request to /logout results in my credentials being discarded
and new ones requested. Unfortunately, as soon as I authenticate, I
get my "logout" page back again and get the 401 response. My only
option is to cancel the login, then go to another URL that won't log
me out right away. So, the technique works, but it's a little fragile. :)
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk541RAACgkQ9CaO5/Lv0PDVQgCgvFXJMVMba9y2i2iSSp6rEnA9
SSUAoLXlghGEK/jEBTRKlqdbDFyHCrBR
=EyP/
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
