The browser remembers the Authorization header for that realm. There are couple of ways you can force browser to relogin.
Option 1)In your code have a kind of check for time interval after time interval if you get a request send the 401 response.
I use the following simple logic for this.
int counter = 0;
try
{
counter = ((Integer)session.getAttribute("Counter")).intValue();
} catch(Exception ex)
{
session.setAttribute("Counter", new Integer(counter));
}
counter++;
session.setAttribute("Counter", new Integer(counter));
if(counter >=6)
{
session.removeAttribute("Counter");
response.setHeader("WWW-Authenticate", "Basic realm=\"My Realm\"");
response.sendError(response.SC_UNAUTHORIZED);
return;
}
In the above if the counter is after 5 times I am forcing the user to login. The conditional logic you can implement based on time.
Option 2) Theorotically the browser should cache the Authorization information till the Max-Age of the page. In orion the cache-control is private to the orion server and I am not sure how the Max age redirective work with orion. You can read the section 14.8 Authorzation on rfc2616.
If any one can get succeeded in option 2 plz let me also know.
Here is full code of my sample jsp file. works.
<%@page language="java"%>
<%
if(request.getHeader("Authorization") == null)
{
response.setHeader("WWW-Authenticate", "Basic realm=\"My Realm\"");
response.sendError(response.SC_UNAUTHORIZED);
return;
}
int counter = 0;
try
{
counter = ((Integer)session.getAttribute("Counter")).intValue();
} catch(Exception ex)
{
session.setAttribute("Counter", new Integer(counter));
}
counter++;
session.setAttribute("Counter", new Integer(counter));
String auth = request.getHeader("Authorization");
if(counter >=6)
{
session.removeAttribute("Counter");
response.setHeader("WWW-Authenticate", "Basic realm=\"My Realm\"");
response.sendError(response.SC_UNAUTHORIZED);
return;
}
%>
<html>
<body>
<h1>I received: <%=auth%></h1>
Counter: <%=session.getAttribute("Counter")%><br>
<A href=""<%=response.encodeURL("Auth.jsp")%>">Retry</A>
</body>
</html>
Kesav Kumar
Software Engineer
Voquette, Inc.
650 356 3740
mailto:[EMAIL PROTECTED]
http://www.voquette.com
Voquette...Delivering Sound Information
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Smith Jason
> Sent: Wednesday, June 13, 2001 6:38 AM
> To: Orion-Interest
> Subject: Force Logon after X minutes
>
> I am custom user-authentication.
>
> The user and groups are in a database and I am using BASIC authentication.
>
> How can I allow users to logoff w/o them closing their browser?
>
> How can I force them to logon again after x minutes?
>
> Thxs,
>
> Jason