Re: Force Logon after X minutes
Returning a 401 HTTP response to the user should be sufficient to force
current IE and Netscape browsers to re-request user credentials. However I
have noticed that many versions (including IE5.5) will cache the password
thus allowing the user to simply hit enter to re-authenticate.
It is impossible to be certain, on the server-side, that a password is
coming from the fingers of a user and not from the cache of a browser.
Unless you use one-time-passwords, S/KEY etc
As a result, a common solution has become to temporarily redirect to a
login servlet which remembers the requested page (or just shoves it in a
hidden input tag, but storing in the session seems cleaner) and forwards
the user upon correct authentication. At least then you're forcing them
through a form. This behaviour preserves bookmarking, but may break a POST
submission if the user spends ages filling in the original post (this
could be finessed).
Unfortunately I see a general trend towards browsers remembering form
passwords. Complain to your browser vendor (ha!). If you're really still
concerned, implement S/KEY and issue hardware to your users. Or use certs.
I'm curious - has anyone done this already? A usermanager with S/KEY
support?
J
On Wed, 13 Jun 2001, Nick Newman wrote:
> The problem is that with BASIC authentication the *browser* remembers the
> logon information and resends it whenever needed. Hence things like
> invalidating the session will not work, since the browser will simply log
> the user in again without their intervention.
>
> So far as I know, there is no solution to this problem. If you use BASIC
> authentication, the user has to shut down the browser to log off.
>
> If someone knows differently, I too would certainly love to hear the answer.
>
> Nick
>
>
>
> At 03:18 PM 6/13/01 -0400, you wrote:
> >is it too obvious to say:
> >
> >send out the pages w/ an expire time
> >set the http session expiration to a desired interval to prevent use after x
> >minutes...create a logoff function that invalidates their session...
> >
> >is that too simplistic?
> >
> >regards,
> >Mike Conway
> >
> >cybermaster wrote:
> >
> > > <%
> > > if (session != null) {
> > > session.invalidate();
> > > }
> > >
> > > %>
> > >
> > > --peter
> > >
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED]]On Behalf Of Smith Jason
> > > Sent: Wednesday, June 13, 2001 6:38 AM
> > > To: Orion-Interest
> > > Subject: Force Logon after X minutes
> > >
> > > I am custom user-authentication.
> > >
> > > The user and groups are in a database and I am using BASIC authentication.
> > >
> > > How can I allow users to logoff w/o them closing their browser?
> > >
> > > How can I force them to logon again after x minutes?
> > >
> > > Thxs,
> > >
> > > Jason
>
>
Re: Force Logon after X minutes
One can use in a servlet, or a JSP:
if ( session.getAttribute("logged_out") != null ){
response.sendError(response.SC_UNAUTHORIZED, "Logout...");
return;
}
Whenever you want your user logged out: set a session attribute called
"logged_out".
On the main page do not check this attribute, but clear it.
The user will be asked for the username and password again when the
browser receives Error 401 (SC_UNAUTHORIZED).
Tradeoff: you have to check that everywhere in every JSP or servlet.
Lachezar
> The problem is that with BASIC authentication the *browser* remembers the
> logon information and resends it whenever needed. Hence things like
> invalidating the session will not work, since the browser will simply log
> the user in again without their intervention.
>
> So far as I know, there is no solution to this problem. If you use BASIC
> authentication, the user has to shut down the browser to log off.
>
> If someone knows differently, I too would certainly love to hear the
answer.
>
> Nick
>
>
>
> At 03:18 PM 6/13/01 -0400, you wrote:
> >is it too obvious to say:
> >
> >send out the pages w/ an expire time
> >set the http session expiration to a desired interval to prevent use
after x
> >minutes...create a logoff function that invalidates their session...
> >
> >is that too simplistic?
> >
> >regards,
> >Mike Conway
> >
> >cybermaster wrote:
> >
> > > <%
> > > if (session != null) {
> > > session.invalidate();
> > > }
> > >
> > > %>
> > >
> > > --peter
> > >
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED]]On Behalf Of Smith Jason
> > > Sent: Wednesday, June 13, 2001 6:38 AM
> > > To: Orion-Interest
> > > Subject: Force Logon after X minutes
> > >
> > > I am custom user-authentication.
> > >
> > > The user and groups are in a database and I am using BASIC
authentication.
> > >
> > > How can I allow users to logoff w/o them closing their browser?
> > >
> > > How can I force them to logon again after x minutes?
> > >
> > > Thxs,
> > >
> > > Jason
>
>
>
>
RE: Force Logon after X minutes
Title: RE: Force Logon after X minutes
The browser remembers the Authorization header for that realm. There are couple of ways you can force browser to relogin.
Option 1)In your code have a kind of check for time interval after time interval if you get a request send the 401 response.
I use the following simple logic for this.
int counter = 0;
try
{
counter = ((Integer)session.getAttribute("Counter")).intValue();
} catch(Exception ex)
{
session.setAttribute("Counter", new Integer(counter));
}
counter++;
session.setAttribute("Counter", new Integer(counter));
if(counter >=6)
{
session.removeAttribute("Counter");
response.setHeader("WWW-Authenticate", "Basic realm=\"My Realm\"");
response.sendError(response.SC_UNAUTHORIZED);
return;
}
In the above if the counter is after 5 times I am forcing the user to login. The conditional logic you can implement based on time.
Option 2) Theorotically the browser should cache the Authorization information till the Max-Age of the page. In orion the cache-control is private to the orion server and I am not sure how the Max age redirective work with orion. You can read the section 14.8 Authorzation on rfc2616.
If any one can get succeeded in option 2 plz let me also know.
Here is full code of my sample jsp file. works.
<%@page language="java"%>
<%
if(request.getHeader("Authorization") == null)
{
response.setHeader("WWW-Authenticate", "Basic realm=\"My Realm\"");
response.sendError(response.SC_UNAUTHORIZED);
return;
}
int counter = 0;
try
{
counter = ((Integer)session.getAttribute("Counter")).intValue();
} catch(Exception ex)
{
session.setAttribute("Counter", new Integer(counter));
}
counter++;
session.setAttribute("Counter", new Integer(counter));
String auth = request.getHeader("Authorization");
if(counter >=6)
{
session.removeAttribute("Counter");
response.setHeader("WWW-Authenticate", "Basic realm=\"My Realm\"");
response.sendError(response.SC_UNAUTHORIZED);
return;
}
%>
I received: <%=auth%>
Counter: <%=session.getAttribute("Counter")%>
">Retry
Kesav Kumar
Software Engineer
Voquette, Inc.
650 356 3740
mailto:[EMAIL PROTECTED]
http://www.voquette.com
Voquette...Delivering Sound Information
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Smith Jason
> Sent: Wednesday, June 13, 2001 6:38 AM
> To: Orion-Interest
> Subject: Force Logon after X minutes
>
> I am custom user-authentication.
>
> The user and groups are in a database and I am using BASIC authentication.
>
> How can I allow users to logoff w/o them closing their browser?
>
> How can I force them to logon again after x minutes?
>
> Thxs,
>
> Jason
Re: Force Logon after X minutes
Hello Smith, Create a class that implements HttpSessionBindingListener. In the valueUnbound(HttpSessionBindingEvent event) put whatever code you need to logout . When you create the session, store an object of that class, so when the session expires the user logout. -- Best regards, Rafaelmailto:[EMAIL PROTECTED]
Re: Force Logon after X minutes
The problem is that with BASIC authentication the *browser* remembers the
logon information and resends it whenever needed. Hence things like
invalidating the session will not work, since the browser will simply log
the user in again without their intervention.
So far as I know, there is no solution to this problem. If you use BASIC
authentication, the user has to shut down the browser to log off.
If someone knows differently, I too would certainly love to hear the answer.
Nick
At 03:18 PM 6/13/01 -0400, you wrote:
>is it too obvious to say:
>
>send out the pages w/ an expire time
>set the http session expiration to a desired interval to prevent use after x
>minutes...create a logoff function that invalidates their session...
>
>is that too simplistic?
>
>regards,
>Mike Conway
>
>cybermaster wrote:
>
> > <%
> > if (session != null) {
> > session.invalidate();
> > }
> >
> > %>
> >
> > --peter
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of Smith Jason
> > Sent: Wednesday, June 13, 2001 6:38 AM
> > To: Orion-Interest
> > Subject: Force Logon after X minutes
> >
> > I am custom user-authentication.
> >
> > The user and groups are in a database and I am using BASIC authentication.
> >
> > How can I allow users to logoff w/o them closing their browser?
> >
> > How can I force them to logon again after x minutes?
> >
> > Thxs,
> >
> > Jason
Re: Force Logon after X minutes
is it too obvious to say:
send out the pages w/ an expire time
set the http session expiration to a desired interval to prevent use after x
minutes...create a logoff function that invalidates their session...
is that too simplistic?
regards,
Mike Conway
cybermaster wrote:
> <%
> if (session != null) {
> session.invalidate();
> }
>
> %>
>
> --peter
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Smith Jason
> Sent: Wednesday, June 13, 2001 6:38 AM
> To: Orion-Interest
> Subject: Force Logon after X minutes
>
> I am custom user-authentication.
>
> The user and groups are in a database and I am using BASIC authentication.
>
> How can I allow users to logoff w/o them closing their browser?
>
> How can I force them to logon again after x minutes?
>
> Thxs,
>
> Jason
RE: Force Logon after X minutes
<%
if (session != null) {
session.invalidate();
}
%>
--peter
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Smith Jason
Sent: Wednesday, June 13, 2001 6:38 AM
To: Orion-Interest
Subject: Force Logon after X minutes
I am custom user-authentication.
The user and groups are in a database and I am using BASIC authentication.
How can I allow users to logoff w/o them closing their browser?
How can I force them to logon again after x minutes?
Thxs,
Jason
Force Logon after X minutes
I am custom user-authentication. The user and groups are in a database and I am using BASIC authentication. How can I allow users to logoff w/o them closing their browser? How can I force them to logon again after x minutes? Thxs, Jason
