> Christopher Schultz wrote:
>> Also, you could set the error page that is used when a user doesn't
have
>> the proper credentials to something that gives you the opportunity to
>> re-login in order to access the forbidden resource. When you want to
log
>> someone out of BASIC authentication, you have to send a blank
>> "WWW-Authenticate" header to the client, just the same way that
Tomcat
>> would do if you weren't already authenticated.

Could you expand on this? RFC2616 (HTTP/1.1)
(http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.47) says
of the WWW-Authenticate header:

"The field value consists of at least one challenge that indicates the
authentication scheme(s) and parameters applicable to the Request-URI."

Which clients would take a null WWW-Authenticate header to mean log out?

-Mitch

---------------------------------------------------------------------
To start a new topic, e-mail: users@(protected)
To unsubscribe, e-mail: users-unsubscribe@(protected)
For additional commands, e-mail: users-help@(protected)