RE: Can JSP track users in a basic authentication protected realm ?
Your best bet when dealing with authentication and users not logging off is to also include a session expiry for your page. This handles the case where a user leaves without logging off. -Hakan -Original Message- From: Jon Wingfield [mailto:[EMAIL PROTECTED] Sent: Monday, September 22, 2003 6:25 AM To: Tomcat Users List Subject: Re: Can JSP track users in a basic authentication protected realm ? You could possibly track the "referer" header of the request. If the referer is a site outside your protection domain then re-authenticate. This could be done in a filter: Check the header, log out the user, redirect to the requested page to trigger re-authentication. This technique assumes the "referer" header has been set by the browser. As it's not a mandatory header you may not always get it: http://www.w3.org/Protocols/rfc2616/rfc2616.txt Specifically section 14.36 Referer HTH, Jon David wrote: > Actually I do not know how to do it. I know those internet banking sites > does it. They have this option of "Log out" for their users. When users > click on that "log out" option, they will in effect log out of the > protected realm. Should they decide to return to the same site again ( > using the same instance of the IE) they will prompted for the password > and ID again. > > Currently, with basic authentication ( implemented using HTTP SERVER) > the server does not recognise if the user has moved onto another site > outside the protected realm. If he decides to surf an area outside the > protected realm, and decides to return to the protected realm, he will > not be prompted for a password. > > This problem arise when the computer being used to access my protected > realm is a public computer. If that is the case, users who enter my > protected realm and forgot to terminate that instance of the IE is going > to allow subsequent users of that machine to access my site. > > My question is how can I implement such a way as mentioned above ? > The "log out" button kind of effect. > > Many thanks. > > Regards > David > > > -Original Message----- > From: George Sexton [mailto:[EMAIL PROTECTED] > Sent: Sunday, September 21, 2003 12:47 AM > To: 'Tomcat Users List' > Subject: RE: Can JSP track users in a basic authentication protected > realm ? > > Can you explain how Tomcat will be able to tell whether the user has > navigated away and returned, versus just taken some period of time > before getting the next page? > > -Original Message- > From: David [mailto:[EMAIL PROTECTED] > Sent: Saturday, September 20, 2003 9:56 AM > To: Tomcat User > Subject: Can JSP track users in a basic authentication protected realm ? > > > > Hi guys, > > Does anyone know how I can implement the above mentioned? > Once they exit the protected realm (i.e. the protected folder in my > htdocs), when they re-enter the site again they will be asked for a > password. I have a simple basic authentication system but it doesn't > track the user when it leaves the protected realm. What I wanted to do > was to get the server to re-authenticate the user everytime he leaves my > realm and tries to re-enter again. > > > Some people suggested CGI, some suggest PHP.. > > I would like to know if JSP can do the job. If yes, what level of > competence do I know JSP ? > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Can JSP track users in a basic authentication protected realm ?
You could possibly track the "referer" header of the request. If the referer is a site outside your protection domain then re-authenticate. This could be done in a filter: Check the header, log out the user, redirect to the requested page to trigger re-authentication. This technique assumes the "referer" header has been set by the browser. As it's not a mandatory header you may not always get it: http://www.w3.org/Protocols/rfc2616/rfc2616.txt Specifically section 14.36 Referer HTH, Jon David wrote: Actually I do not know how to do it. I know those internet banking sites does it. They have this option of "Log out" for their users. When users click on that "log out" option, they will in effect log out of the protected realm. Should they decide to return to the same site again ( using the same instance of the IE) they will prompted for the password and ID again. Currently, with basic authentication ( implemented using HTTP SERVER) the server does not recognise if the user has moved onto another site outside the protected realm. If he decides to surf an area outside the protected realm, and decides to return to the protected realm, he will not be prompted for a password. This problem arise when the computer being used to access my protected realm is a public computer. If that is the case, users who enter my protected realm and forgot to terminate that instance of the IE is going to allow subsequent users of that machine to access my site. My question is how can I implement such a way as mentioned above ? The "log out" button kind of effect. Many thanks. Regards David -Original Message- From: George Sexton [mailto:[EMAIL PROTECTED] Sent: Sunday, September 21, 2003 12:47 AM To: 'Tomcat Users List' Subject: RE: Can JSP track users in a basic authentication protected realm ? Can you explain how Tomcat will be able to tell whether the user has navigated away and returned, versus just taken some period of time before getting the next page? -Original Message- From: David [mailto:[EMAIL PROTECTED] Sent: Saturday, September 20, 2003 9:56 AM To: Tomcat User Subject: Can JSP track users in a basic authentication protected realm ? Hi guys, Does anyone know how I can implement the above mentioned? Once they exit the protected realm (i.e. the protected folder in my htdocs), when they re-enter the site again they will be asked for a password. I have a simple basic authentication system but it doesn't track the user when it leaves the protected realm. What I wanted to do was to get the server to re-authenticate the user everytime he leaves my realm and tries to re-enter again. Some people suggested CGI, some suggest PHP.. I would like to know if JSP can do the job. If yes, what level of competence do I know JSP ? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Can JSP track users in a basic authentication protected realm ?
Actually I do not know how to do it. I know those internet banking sites does it. They have this option of "Log out" for their users. When users click on that "log out" option, they will in effect log out of the protected realm. Should they decide to return to the same site again ( using the same instance of the IE) they will prompted for the password and ID again. Currently, with basic authentication ( implemented using HTTP SERVER) the server does not recognise if the user has moved onto another site outside the protected realm. If he decides to surf an area outside the protected realm, and decides to return to the protected realm, he will not be prompted for a password. This problem arise when the computer being used to access my protected realm is a public computer. If that is the case, users who enter my protected realm and forgot to terminate that instance of the IE is going to allow subsequent users of that machine to access my site. My question is how can I implement such a way as mentioned above ? The "log out" button kind of effect. Many thanks. Regards David -Original Message- From: George Sexton [mailto:[EMAIL PROTECTED] Sent: Sunday, September 21, 2003 12:47 AM To: 'Tomcat Users List' Subject: RE: Can JSP track users in a basic authentication protected realm ? Can you explain how Tomcat will be able to tell whether the user has navigated away and returned, versus just taken some period of time before getting the next page? -Original Message- From: David [mailto:[EMAIL PROTECTED] Sent: Saturday, September 20, 2003 9:56 AM To: Tomcat User Subject: Can JSP track users in a basic authentication protected realm ? Hi guys, Does anyone know how I can implement the above mentioned? Once they exit the protected realm (i.e. the protected folder in my htdocs), when they re-enter the site again they will be asked for a password. I have a simple basic authentication system but it doesn't track the user when it leaves the protected realm. What I wanted to do was to get the server to re-authenticate the user everytime he leaves my realm and tries to re-enter again. Some people suggested CGI, some suggest PHP.. I would like to know if JSP can do the job. If yes, what level of competence do I know JSP ? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Can JSP track users in a basic authentication protected realm ?
Can you explain how Tomcat will be able to tell whether the user has navigated away and returned, versus just taken some period of time before getting the next page? -Original Message- From: David [mailto:[EMAIL PROTECTED] Sent: Saturday, September 20, 2003 9:56 AM To: Tomcat User Subject: Can JSP track users in a basic authentication protected realm ? Hi guys, Does anyone know how I can implement the above mentioned? Once they exit the protected realm (i.e. the protected folder in my htdocs), when they re-enter the site again they will be asked for a password. I have a simple basic authentication system but it doesn't track the user when it leaves the protected realm. What I wanted to do was to get the server to re-authenticate the user everytime he leaves my realm and tries to re-enter again. Some people suggested CGI, some suggest PHP.. I would like to know if JSP can do the job. If yes, what level of competence do I know JSP ? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Can JSP track users in a basic authentication protected realm ?
Hi guys, Does anyone know how I can implement the above mentioned? Once they exit the protected realm (i.e. the protected folder in my htdocs), when they re-enter the site again they will be asked for a password. I have a simple basic authentication system but it doesn't track the user when it leaves the protected realm. What I wanted to do was to get the server to re-authenticate the user everytime he leaves my realm and tries to re-enter again. Some people suggested CGI, some suggest PHP.. I would like to know if JSP can do the job. If yes, what level of competence do I know JSP ?