RE: Force Logon after X minutes

Wed, 13 Jun 2001 15:56:20 -0700

Title: RE: Force Logon after X minutes

The browser remembers the Authorization header for that realm.  There are couple of ways you can force browser to relogin.

Option 1)In your code have a kind of check for time interval after time interval if you get a request send the 401 response.

I use the following simple logic for this.

        int counter = 0;
        try
        {
                counter = ((Integer)session.getAttribute("Counter")).intValue();
        } catch(Exception ex)
        {
                session.setAttribute("Counter", new Integer(counter));
        }
        counter++;
        session.setAttribute("Counter", new Integer(counter));
        if(counter >=6)
        {
                session.removeAttribute("Counter");
                response.setHeader("WWW-Authenticate", "Basic realm=\"My Realm\"");
                response.sendError(response.SC_UNAUTHORIZED);
                return;
        }

In the above if the counter is after 5 times I am forcing the user to login.  The conditional logic you can implement based on time.

Option 2) Theorotically the browser should cache the Authorization information till the Max-Age of the page.  In orion the cache-control is private to the orion server and I am not sure how the Max age redirective work with orion.  You can read the section 14.8 Authorzation on rfc2616.

If any one can get succeeded in option 2 plz let me also know.



Here is full code of my sample jsp file.  works.


<%@page language="java"%>
<%
        if(request.getHeader("Authorization") == null)
        {
                response.setHeader("WWW-Authenticate", "Basic realm=\"My Realm\"");
                response.sendError(response.SC_UNAUTHORIZED);
                return;
        }
        int counter = 0;
        try
        {
                counter = ((Integer)session.getAttribute("Counter")).intValue();
        } catch(Exception ex)
        {
                session.setAttribute("Counter", new Integer(counter));
        }
        counter++;
        session.setAttribute("Counter", new Integer(counter));
        String auth = request.getHeader("Authorization");
        if(counter >=6)
        {
                session.removeAttribute("Counter");
                response.setHeader("WWW-Authenticate", "Basic realm=\"My Realm\"");
                response.sendError(response.SC_UNAUTHORIZED);
                return;
        }
%>
<html>
<body>
        <h1>I received: <%=auth%></h1>
        Counter: <%=session.getAttribute("Counter")%><br>
        <A href=""<%=response.encodeURL("Auth.jsp")%>">Retry</A>
</body>
</html>



Kesav Kumar
Software Engineer
Voquette, Inc.
650 356 3740
mailto:[EMAIL PROTECTED]
http://www.voquette.com
Voquette...Delivering Sound Information


>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Smith Jason
> Sent: Wednesday, June 13, 2001 6:38 AM
> To: Orion-Interest
> Subject: Force Logon after X minutes
>
> I am custom user-authentication.
>
> The user and groups are in a database and I am using BASIC authentication.
>
> How can I allow users to logoff w/o them closing their browser?
>
> How can I force them to logon again after x minutes?
>
> Thxs,
>
> Jason

Reply via email to