Hi Todd, Trying to logoff using Basic Auth is becoming something of a faq...
> if there was a means by which i could strip out the Authorization > header in the client request, this would force a 401 response from > the server which would also satisfy my specific need. I doubt if this will work. I suspect you want to strip this out when the user does his logout-request (ie. a request for .../logout.html). If you do this, the browser should present a popup-box to the user, which he most probably would cancel. However, most browsers seem to recollect their authorisation information they used before. Thus, as soon as the user gets to a page that requests a login, the browser tries with the user credentials that were kept and a popup is never shown. As someone already suggested: use a Cookie based algorithem. The cookie gives you the opportunity to follow the status of the user and effectively log him out. Another approach I once saw was the use of a dedicated realm for that user. In stead of using a fixed realm (ie. security domain) the domain is on a per session basis. You should still fix the session someway (using the uri or a cookie), but you can still stick with the 'Basic Auth' mechanism. Hope this helps. --Frank