Returning a 401 HTTP response to the user should be sufficient to force
current IE and Netscape browsers to re-request user credentials. However I
have noticed that many versions (including IE5.5) will cache the password
thus allowing the user to simply hit enter to re-authenticate.
It is impossible to be certain, on the server-side, that a password is
coming from the fingers of a user and not from the cache of a browser.
Unless you use one-time-passwords, S/KEY etc
As a result, a common solution has become to temporarily redirect to a
login servlet which remembers the requested page (or just shoves it in a
hidden input tag, but storing in the session seems cleaner) and forwards
the user upon correct authentication. At least then you're forcing them
through a form. This behaviour preserves bookmarking, but may break a POST
submission if the user spends ages filling in the original post (this
could be finessed).
Unfortunately I see a general trend towards browsers remembering form
passwords. Complain to your browser vendor (ha!). If you're really still
concerned, implement S/KEY and issue hardware to your users. Or use certs.
I'm curious - has anyone done this already? A usermanager with S/KEY
support?
J
On Wed, 13 Jun 2001, Nick Newman wrote:
> The problem is that with BASIC authentication the *browser* remembers the
> logon information and resends it whenever needed. Hence things like
> invalidating the session will not work, since the browser will simply log
> the user in again without their intervention.
>
> So far as I know, there is no solution to this problem. If you use BASIC
> authentication, the user has to shut down the browser to log off.
>
> If someone knows differently, I too would certainly love to hear the answer.
>
> Nick
>
>
>
> At 03:18 PM 6/13/01 -0400, you wrote:
> >is it too obvious to say:
> >
> >send out the pages w/ an expire time....
> >set the http session expiration to a desired interval to prevent use after x
> >minutes...create a logoff function that invalidates their session...
> >
> >is that too simplistic?
> >
> >regards,
> >Mike Conway
> >
> >cybermaster wrote:
> >
> > > <%
> > > if (session != null) {
> > > session.invalidate();
> > > }
> > >
> > > %>
> > >
> > > --peter
> > >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED]]On Behalf Of Smith Jason
> > > Sent: Wednesday, June 13, 2001 6:38 AM
> > > To: Orion-Interest
> > > Subject: Force Logon after X minutes
> > >
> > > I am custom user-authentication.
> > >
> > > The user and groups are in a database and I am using BASIC authentication.
> > >
> > > How can I allow users to logoff w/o them closing their browser?
> > >
> > > How can I force them to logon again after x minutes?
> > >
> > > Thxs,
> > >
> > > Jason
>
>
