I read your text many times but couldn't get to a conclusion. So, isn't there a way to force a logout and let the user authenticate again? At least with BASIC.
On Mon, 16 Dec 2002 13:27:48 -0500 "Michael Nicholson" <[EMAIL PROTECTED]> wrote: >>From what I understand, the authorization header using > BASIC authentication >has a terrible way of hanging around in most (if not all) > browsers. When >you access the protected resource, and the browser > receives the >'authentication needed' header, the browser returns > whatever it has stored >in its memory (i.e., your last login). I haven't heard of > any sure-fire >ways of stopping that, other than to restart the browser. > >This isn't, however, quite the same thing as invalidating > a session. >Invalidating a session simply means that the container > (tomcat) is going to >have to create a new session whenever you use > request.getSession() (unless >you use request.getSession(false) which will probably > throw an exception) or >browse to a jsp that hasn't been told not to use sessions. > And the new >session will have nothing in it that was put in it before > the >session.invalidate() call. > >I've never really looked at form based authentication; > does it possibly >store some sort of user credential in the session, which > is therefore >removed when the session is invalidated (effectively > removed, anyhow, as I >suppose it's still sitting in that invalidated session > until garbage >collection...), forcing another login? But basic > authentication, at least >as I understand it, doesn't store it that way. It gets > stored in a header, >and in the browser. > >Mike >----- Original Message ----- >From: <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Sent: Monday, December 16, 2002 12:58 PM >Subject: Invalidate Session Problem > > >> Hello, >> >> I want to thanks the help for the other problem and ask >> another thing. >> It is about invalidating a session. >> >> While I was using the FORM to log into the apps I was > able >> to invalidate my session, but now I am using the BASIC > and >> it is not working. >> >> I read in some places that it may be a bug, is it and > how >> can I invalidate the session with other way? >> >> Thanks. >> Ricardo Costa. >> ________________________________________________ >> Don't E-Mail, ZipMail! http://www.zipmail.com/ >> >> -- >> To unsubscribe, e-mail: ><mailto:[EMAIL PROTECTED]> >> For additional commands, e-mail: ><mailto:[EMAIL PROTECTED]> >> >> > > >-- >To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> >For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > ________________________________________________ Don't E-Mail, ZipMail! http://www.zipmail.com/ -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>