before i post this as a bug & possibly make a complete idiot of myself, please have a look...
Tomcat 5.5.7 on Win2k, MSIE6
1. load an authenticated page (JDBCRealm or DataSourceRealm w/SHA, FORM login-config, SingleSignOn valve)
2. wait until authentication timeout OR close browser window & reopen
3. perform a conditional GET (i.e. reload WITHOUT ctl-shift)
Result: Tomcat returns 304 Not Modified. relevant bit of access_log: #.#.#.# - - [datetime] "GET /home HTTP/1.0" 304 - ^ no user!
which is IMHO in violation of the HTTP spec (http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html) relevant bit:
If the client has performed a conditional GET request and *access is allowed*, but the document has not been modified,
the server SHOULD respond with this status code.
comments?
--alex.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]