Re: Force Logon after X minutes
Returning a 401 HTTP response to the user should be sufficient to force current IE and Netscape browsers to re-request user credentials. However I have noticed that many versions (including IE5.5) will cache the password thus allowing the user to simply hit enter to re-authenticate. It is impossible to be certain, on the server-side, that a password is coming from the fingers of a user and not from the cache of a browser. Unless you use one-time-passwords, S/KEY etc As a result, a common solution has become to temporarily redirect to a login servlet which remembers the requested page (or just shoves it in a hidden input tag, but storing in the session seems cleaner) and forwards the user upon correct authentication. At least then you're forcing them through a form. This behaviour preserves bookmarking, but may break a POST submission if the user spends ages filling in the original post (this could be finessed). Unfortunately I see a general trend towards browsers remembering form passwords. Complain to your browser vendor (ha!). If you're really still concerned, implement S/KEY and issue hardware to your users. Or use certs. I'm curious - has anyone done this already? A usermanager with S/KEY support? J On Wed, 13 Jun 2001, Nick Newman wrote: > The problem is that with BASIC authentication the *browser* remembers the > logon information and resends it whenever needed. Hence things like > invalidating the session will not work, since the browser will simply log > the user in again without their intervention. > > So far as I know, there is no solution to this problem. If you use BASIC > authentication, the user has to shut down the browser to log off. > > If someone knows differently, I too would certainly love to hear the answer. > > Nick > > > > At 03:18 PM 6/13/01 -0400, you wrote: > >is it too obvious to say: > > > >send out the pages w/ an expire time > >set the http session expiration to a desired interval to prevent use after x > >minutes...create a logoff function that invalidates their session... > > > >is that too simplistic? > > > >regards, > >Mike Conway > > > >cybermaster wrote: > > > > > <% > > > if (session != null) { > > > session.invalidate(); > > > } > > > > > > %> > > > > > > --peter > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED]]On Behalf Of Smith Jason > > > Sent: Wednesday, June 13, 2001 6:38 AM > > > To: Orion-Interest > > > Subject: Force Logon after X minutes > > > > > > I am custom user-authentication. > > > > > > The user and groups are in a database and I am using BASIC authentication. > > > > > > How can I allow users to logoff w/o them closing their browser? > > > > > > How can I force them to logon again after x minutes? > > > > > > Thxs, > > > > > > Jason > >
Re: Force Logon after X minutes
One can use in a servlet, or a JSP: if ( session.getAttribute("logged_out") != null ){ response.sendError(response.SC_UNAUTHORIZED, "Logout..."); return; } Whenever you want your user logged out: set a session attribute called "logged_out". On the main page do not check this attribute, but clear it. The user will be asked for the username and password again when the browser receives Error 401 (SC_UNAUTHORIZED). Tradeoff: you have to check that everywhere in every JSP or servlet. Lachezar > The problem is that with BASIC authentication the *browser* remembers the > logon information and resends it whenever needed. Hence things like > invalidating the session will not work, since the browser will simply log > the user in again without their intervention. > > So far as I know, there is no solution to this problem. If you use BASIC > authentication, the user has to shut down the browser to log off. > > If someone knows differently, I too would certainly love to hear the answer. > > Nick > > > > At 03:18 PM 6/13/01 -0400, you wrote: > >is it too obvious to say: > > > >send out the pages w/ an expire time > >set the http session expiration to a desired interval to prevent use after x > >minutes...create a logoff function that invalidates their session... > > > >is that too simplistic? > > > >regards, > >Mike Conway > > > >cybermaster wrote: > > > > > <% > > > if (session != null) { > > > session.invalidate(); > > > } > > > > > > %> > > > > > > --peter > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED]]On Behalf Of Smith Jason > > > Sent: Wednesday, June 13, 2001 6:38 AM > > > To: Orion-Interest > > > Subject: Force Logon after X minutes > > > > > > I am custom user-authentication. > > > > > > The user and groups are in a database and I am using BASIC authentication. > > > > > > How can I allow users to logoff w/o them closing their browser? > > > > > > How can I force them to logon again after x minutes? > > > > > > Thxs, > > > > > > Jason > > > >
RE: Force Logon after X minutes
Title: RE: Force Logon after X minutes The browser remembers the Authorization header for that realm. There are couple of ways you can force browser to relogin. Option 1)In your code have a kind of check for time interval after time interval if you get a request send the 401 response. I use the following simple logic for this. int counter = 0; try { counter = ((Integer)session.getAttribute("Counter")).intValue(); } catch(Exception ex) { session.setAttribute("Counter", new Integer(counter)); } counter++; session.setAttribute("Counter", new Integer(counter)); if(counter >=6) { session.removeAttribute("Counter"); response.setHeader("WWW-Authenticate", "Basic realm=\"My Realm\""); response.sendError(response.SC_UNAUTHORIZED); return; } In the above if the counter is after 5 times I am forcing the user to login. The conditional logic you can implement based on time. Option 2) Theorotically the browser should cache the Authorization information till the Max-Age of the page. In orion the cache-control is private to the orion server and I am not sure how the Max age redirective work with orion. You can read the section 14.8 Authorzation on rfc2616. If any one can get succeeded in option 2 plz let me also know. Here is full code of my sample jsp file. works. <%@page language="java"%> <% if(request.getHeader("Authorization") == null) { response.setHeader("WWW-Authenticate", "Basic realm=\"My Realm\""); response.sendError(response.SC_UNAUTHORIZED); return; } int counter = 0; try { counter = ((Integer)session.getAttribute("Counter")).intValue(); } catch(Exception ex) { session.setAttribute("Counter", new Integer(counter)); } counter++; session.setAttribute("Counter", new Integer(counter)); String auth = request.getHeader("Authorization"); if(counter >=6) { session.removeAttribute("Counter"); response.setHeader("WWW-Authenticate", "Basic realm=\"My Realm\""); response.sendError(response.SC_UNAUTHORIZED); return; } %> I received: <%=auth%> Counter: <%=session.getAttribute("Counter")%> ">Retry Kesav Kumar Software Engineer Voquette, Inc. 650 356 3740 mailto:[EMAIL PROTECTED] http://www.voquette.com Voquette...Delivering Sound Information > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Smith Jason > Sent: Wednesday, June 13, 2001 6:38 AM > To: Orion-Interest > Subject: Force Logon after X minutes > > I am custom user-authentication. > > The user and groups are in a database and I am using BASIC authentication. > > How can I allow users to logoff w/o them closing their browser? > > How can I force them to logon again after x minutes? > > Thxs, > > Jason
Re: Force Logon after X minutes
Hello Smith, Create a class that implements HttpSessionBindingListener. In the valueUnbound(HttpSessionBindingEvent event) put whatever code you need to logout . When you create the session, store an object of that class, so when the session expires the user logout. -- Best regards, Rafaelmailto:[EMAIL PROTECTED]
Re: Force Logon after X minutes
The problem is that with BASIC authentication the *browser* remembers the logon information and resends it whenever needed. Hence things like invalidating the session will not work, since the browser will simply log the user in again without their intervention. So far as I know, there is no solution to this problem. If you use BASIC authentication, the user has to shut down the browser to log off. If someone knows differently, I too would certainly love to hear the answer. Nick At 03:18 PM 6/13/01 -0400, you wrote: >is it too obvious to say: > >send out the pages w/ an expire time >set the http session expiration to a desired interval to prevent use after x >minutes...create a logoff function that invalidates their session... > >is that too simplistic? > >regards, >Mike Conway > >cybermaster wrote: > > > <% > > if (session != null) { > > session.invalidate(); > > } > > > > %> > > > > --peter > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]]On Behalf Of Smith Jason > > Sent: Wednesday, June 13, 2001 6:38 AM > > To: Orion-Interest > > Subject: Force Logon after X minutes > > > > I am custom user-authentication. > > > > The user and groups are in a database and I am using BASIC authentication. > > > > How can I allow users to logoff w/o them closing their browser? > > > > How can I force them to logon again after x minutes? > > > > Thxs, > > > > Jason
Re: Force Logon after X minutes
is it too obvious to say: send out the pages w/ an expire time set the http session expiration to a desired interval to prevent use after x minutes...create a logoff function that invalidates their session... is that too simplistic? regards, Mike Conway cybermaster wrote: > <% > if (session != null) { > session.invalidate(); > } > > %> > > --peter > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Smith Jason > Sent: Wednesday, June 13, 2001 6:38 AM > To: Orion-Interest > Subject: Force Logon after X minutes > > I am custom user-authentication. > > The user and groups are in a database and I am using BASIC authentication. > > How can I allow users to logoff w/o them closing their browser? > > How can I force them to logon again after x minutes? > > Thxs, > > Jason
RE: Force Logon after X minutes
<% if (session != null) { session.invalidate(); } %> --peter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Smith Jason Sent: Wednesday, June 13, 2001 6:38 AM To: Orion-Interest Subject: Force Logon after X minutes I am custom user-authentication. The user and groups are in a database and I am using BASIC authentication. How can I allow users to logoff w/o them closing their browser? How can I force them to logon again after x minutes? Thxs, Jason
Force Logon after X minutes
I am custom user-authentication. The user and groups are in a database and I am using BASIC authentication. How can I allow users to logoff w/o them closing their browser? How can I force them to logon again after x minutes? Thxs, Jason