But the browser just supplies the un/pw, and from the servlet side it looks
the same as a response which pops up the un/pw box. You can keep the
session, and mark it as logged out, but invalidating it doesn't work. This
also breaks down if you consider it like url rewriting. You need to reject
the initial un/pw, even though it is valid, to force a new login.
Craig wrote:
> Thor HW wrote:
>
> > Craig:
> > Yes, that will invalidate the session, but the web browser will provide
the
> > un/pw to the next call from the same domain, which then wont ask the
user to
> > log in again. It doesn't provide a forced log in the second time
around. I
> > haven't found a nice way around this, other than to set another cookie
> > marking the browser as a dead session.
> >
>
> I haven't ever played with Basic authentication and servlets together, but
> can't you do something like send an SC_UNAUTHORIZED response whenever you
> discover that there is no current session? This would also cover the case
> where it really is the same user, but they let their session time out.
>
>
> >
> > Thor HW
>
> Craig
>
>
> >
> > ----- Original Message -----
> > From: Craig R. McClanahan <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Thursday, December 02, 1999 10:07 AM
> > Subject: Re: Forced Log on
> >
> > > Antonio Villafana wrote:
> > >
> > > > Hi everyone,Here is my question........ How can I force a log-on
> > > > using HTTP authentication in my servlet. Currently, if a user logs
off
> > > > and tries to log on immediately after, he/she is not presented with
> > > > the authentication dialog. I am using
> > > > the<resp.setStatus(HttpServletResponse.SC_UNAUTHORIZED) to capture
> > > > usernname and password if initial try is invalid. Also, shouldn't
> > > > <session.invalidate> destroy that session immediately?I'm using
> > > > ServletExec.......with Apache. Code Snippet for session
> > > > invalidation: HttpSession session = req.getSession(true);
> > > > if (session != null) {
> > > > HttpSessionContext context = session.getSessionContext();
> > > > HttpSession curSession = context.getSession("Login.User");
> > > > if (curSession != null) curSession.invalidate();
> > > > } Any Suggestions.....Antonio
> > >
> > > One thing to note is that HttpSessionContext was deprecated in version
> > > 2.1 of the API, and you won't be able to use it. If all you want to
do
> > > is invalidate the current session, just do this:
> > >
> > > HttpSession session = req.getSession(false);
> > > if (session != null)
> > > session.invalidate();
> > >
> > > Craig McClanahan
> > >
> > >
> >
___________________________________________________________________________
> > > To unsubscribe, send email to [EMAIL PROTECTED] and include in the
> > body
> > > of the message "signoff SERVLET-INTEREST".
> > >
> > > Archives: http://archives.java.sun.com/archives/servlet-interest.html
> > > Resources:
http://java.sun.com/products/servlet/external-resources.html
> > > LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
> > >
> >
> >
___________________________________________________________________________
> > To unsubscribe, send email to [EMAIL PROTECTED] and include in the
body
> > of the message "signoff SERVLET-INTEREST".
> >
> > Archives: http://archives.java.sun.com/archives/servlet-interest.html
> > Resources: http://java.sun.com/products/servlet/external-resources.html
> > LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
>
>
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
