before i post this as a bug & possibly make a complete idiot of myself,
please have a look...
Tomcat 5.5.7 on Win2k, MSIE6
1. load an authenticated page (JDBCRealm or DataSourceRealm w/SHA, FORM
login-config, SingleSignOn valve)
2. wait until authentication timeout OR close browser window & reopen
3. perform a conditional GET (i.e. reload WITHOUT ctl-shift)
Result: Tomcat returns 304 Not Modified. relevant bit of access_log:
#.#.#.# - - [datetime] "GET /home HTTP/1.0" 304 -
^ no user!
which is IMHO in violation of the HTTP spec
(http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html)
relevant bit:
If the client has performed a conditional GET request and
*access is allowed*, but the document has not been modified,
the server SHOULD respond with this status code.
comments?
--alex.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
