@Rick:
Ahh, that makes sense. However, its not logging out of HTTP Basic. Its
just invalidating a session ID. I also doubt that it'll work properly
if done in one browser session - the browser will keep re-sending the
Authorization header regardless of your invalidated session. The
browser doesn't know anything about the way sessions are stored on
your computer. You can perhaps do some hackery by generating a random
realm everytime but now you're hacking an inferior system - what's the
point?
For 'proof', see RFC2616. It specifically does not mention anything
about keeping the username/password entered around, however it is
quite specific about suggesting (which in RFC speak, is a strong
encouragement to do it) that you save this information, as a
webbrowser, because the browser may assume that all URLs 'below' the
URL that needed authentication also need authentication, and thus the
browser may pre-emptively send the header.
Most browsers don't store this information beyond a single session,
but in this day and age, people can go for many weeks without ever
closing their browser, so that is of little comfort. There's also no
rule that states that browsers aren't allowed to do it. The RFC, as I
mentioned, is deliberately low on detail, which is really bad for
security purposes. The followup RFC (2617) is also fairly specific
about never using HTTP-Basic to do serious authentication and strongly
suggests that you generate passwords for the user. Riiight - that's
going to go over real well in today's world.
Let's recap:
- Its such a weird and rarely used device that your average user will
flip out, and
- It is far more insecure than cookies and has dubious logout
capability.
- The official web standard urges you not to use it for what we're
talking about.
Ah, yes. That's why nobody uses it.
On Nov 18, 10:28 pm, Rick <[EMAIL PROTECTED]> wrote:
> To logout from HTTP authentication use:
>
> public void logout() {
> HttpSession session = this.getThreadLocalRequest().getSession();
> session.invalidate();
>
> }
>
> You can do this in your ServiceImpl class.
>
> I kind of agree with Reinier, but might have used language that was
> less strong.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To post to this group, send email to Google-Web-Toolkit@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/Google-Web-Toolkit?hl=en
-~----------~----~----~----~------~----~------~--~---
