@Rick: Ahh, that makes sense. However, its not logging out of HTTP Basic. Its just invalidating a session ID. I also doubt that it'll work properly if done in one browser session - the browser will keep re-sending the Authorization header regardless of your invalidated session. The browser doesn't know anything about the way sessions are stored on your computer. You can perhaps do some hackery by generating a random realm everytime but now you're hacking an inferior system - what's the point?
For 'proof', see RFC2616. It specifically does not mention anything about keeping the username/password entered around, however it is quite specific about suggesting (which in RFC speak, is a strong encouragement to do it) that you save this information, as a webbrowser, because the browser may assume that all URLs 'below' the URL that needed authentication also need authentication, and thus the browser may pre-emptively send the header. Most browsers don't store this information beyond a single session, but in this day and age, people can go for many weeks without ever closing their browser, so that is of little comfort. There's also no rule that states that browsers aren't allowed to do it. The RFC, as I mentioned, is deliberately low on detail, which is really bad for security purposes. The followup RFC (2617) is also fairly specific about never using HTTP-Basic to do serious authentication and strongly suggests that you generate passwords for the user. Riiight - that's going to go over real well in today's world. Let's recap: - Its such a weird and rarely used device that your average user will flip out, and - It is far more insecure than cookies and has dubious logout capability. - The official web standard urges you not to use it for what we're talking about. Ah, yes. That's why nobody uses it. On Nov 18, 10:28 pm, Rick <[EMAIL PROTECTED]> wrote: > To logout from HTTP authentication use: > > public void logout() { > HttpSession session = this.getThreadLocalRequest().getSession(); > session.invalidate(); > > } > > You can do this in your ServiceImpl class. > > I kind of agree with Reinier, but might have used language that was > less strong. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---