> Christopher Schultz wrote: >> Also, you could set the error page that is used when a user doesn't have >> the proper credentials to something that gives you the opportunity to >> re-login in order to access the forbidden resource. When you want to log >> someone out of BASIC authentication, you have to send a blank >> "WWW-Authenticate" header to the client, just the same way that Tomcat >> would do if you weren't already authenticated.
Could you expand on this? RFC2616 (HTTP/1.1) (http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.47) says of the WWW-Authenticate header: "The field value consists of at least one challenge that indicates the authentication scheme(s) and parameters applicable to the Request-URI." Which clients would take a null WWW-Authenticate header to mean log out? -Mitch --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
