form-based authentication & session.invalidate

Google

Mailing List

Home

Forum Home

JBoss - Java Application Server

Struts - A MVC web framework

Tomcat - JSP/Servlet container

iText - An open source PDF Java Library

JDOM - JDOM XML Parser

J2EE - A mailing list for Java(tm) 2 Platform, Enterprise Edition

J2EE Pattern - An interest list for Sun Java Center J2EE Pattern Catalog

Servlet - A mailing list for discussion about Sun Microsystem's Java Servlet API Technology

JSP - A mailing list about Java Server Pages specification and reference

Struts & Hibernate

Subjects

•	JSP editor plugin for eclipse ?
•	org apache jasper JasperException: Unable to compile class for JSP
•	Tomcat: Connection reset by peer: socket write error
•	Cannot retrieve definition for form bean null
•	Struts Tiles Tutorial (free Struts training)
•	Where do I download Tomcat 4 0 6?
•	Data Access Object (DAO) pattern, example DAO 's
•	Where to download Tomcat v 4 1 24 from?
•	Tomcat 5 0 16 Requested resource not available
•	Oracle Connection Pooling in 3 2 2
•	Servlet : Session invalidate
•	Servlet action is currently unavailable
•	Tomcat/Struts Unicode Encoding/Decoding problems
•	Tomcat and webapplication specific java library path
•	Running a Simple JMS Example
•	Mapping in workers2 properties
•	org apache jasper JasperException
•	Cannot find message resources under key org apache struts action MESSAGE
•	problem with html:text bean throwing exception
•	Cannot find message resources under key org apache struts action MESSAGE
•	invalid direct reference problem with solution
•	Tool for jsp debug Try Sysdeo Eclipse Plugin
•	Tomcat 5 Cannot load JDBC driver class 'null ' SQL state: null
•	weblogic ejbc
•	java properties file
•	Jboss 3 2 3 Coyote Can 't re
•	Tomcat 5, Apache2 and mod jk2 integration problem
•	JBoss example problem new to J2EE
•	url string for connecting jboss to oracle
•	Value attribute of <html:checkbox
•	javax servlet ServletException: BeanUtils populate
•	HTTP Status 404 The requested resource is not available
•	5 0 18: Windows XP Pro vs Windows 2000

form-based authentication & session.invalidate

form-based authentication & session.invalidate

2003-10-11 - By Tim Funk

Back

Reply: 1 2 3 4 5

Authentication information is somewhat stored in the session for form based
authentication. (I can't remember the specifics) So using session.invalidate
should log the user out. This works since the session id which is a cookie or
URL rewriting scheme is what the browser keys in on. By invalidating that id
on the server, the browser is now sending an invalid credential and thus
logged out.

In BASIC authentication, the credentials are stored in the web browser and
sent when/if requested. So the only way to get rid of those stored
credentials is by closing the web browser.

[Of course, when the web server is restarted or web app restarted - I can't
recall what happens to the authentication information. ]

-Tim

Adam Hardy wrote:
> I am using session.invalidate() to try to cause the user to receive
> another login request, using CMS form-based authentication.
>
> I saw the same issue in bugzilla but for basic authentication:
>
> http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12147
>
> where the tomcat developer/bugzilla person resolved the issue saying
> that CMS basic authentication cannot be manipulated in this way since
> the browser sends the login info with every request, requiring the user
> to close the browser before seeing another login request.
>
> Is this the same for form-based authentication?
>
> I thought that in tomcat4 I was getting new login request for the users
> just by invalidating their sessions. Am I deluding myself?
>

-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ------
To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
For additional commands, e-mail: tomcat-user-help@(protected)