You could possibly track the "referer" header of the request. If the
referer is a site outside your protection domain then re-authenticate.
This could be done in a filter: Check the header, log out the user,
redirect to the requested page to trigger re-authentication.

This technique assumes the "referer" header has been set by the browser.
As it's not a mandatory header you may not always get it:
http://www.w3.org/Protocols/rfc2616/rfc2616.txt
Specifically section 14.36 Referer

HTH,

Jon

David wrote:
> Actually I do not know how to do it. I know those internet banking sites
> does it. They have this option of "Log out" for their users. When users
> click on that "log out" option, they will in effect log out of the
> protected realm. Should they decide to return to the same site again (
> using the same instance of the IE) they will prompted for the password
> and ID again.
>
> Currently, with basic authentication ( implemented using HTTP SERVER)
> the server does not recognise if the user has moved onto another site
> outside the protected realm. If he decides to surf an area outside the
> protected realm, and decides to return to the protected realm, he will
> not be prompted for a password.
>
> This problem arise when the computer being used to access my protected
> realm is a public computer. If that is the case, users who enter my
> protected realm and forgot to terminate that instance of the IE is going
> to allow subsequent users of that machine to access my site.
>
> My question is how can I implement such a way as mentioned above ?
> The "log out" button kind of effect.
>
> Many thanks.
>
> Regards
> David
>
>
> -----Original Message-----
> From: George Sexton [mailto:gsexton@(protected)]
> Sent: Sunday, September 21, 2003 12:47 AM
> To: 'Tomcat Users List'
> Subject: RE: Can JSP track users in a basic authentication protected
> realm ?
>
> Can you explain how Tomcat will be able to tell whether the user has
> navigated away and returned, versus just taken some period of time
> before getting the next page?
>
> -----Original Message-----
> From: David [mailto:amdawong@(protected)]
> Sent: Saturday, September 20, 2003 9:56 AM
> To: Tomcat User
> Subject: Can JSP track users in a basic authentication protected realm ?
>
>
>
> Hi guys,
>
> Does anyone know how I can implement the above mentioned?
> Once they exit the protected realm (i.e. the protected folder in my
> htdocs), when they re-enter the site again they will be asked for a
> password. I have a simple basic authentication system but it doesn't
> track the user when it leaves the protected realm. What I wanted to do
> was to get the server to re-authenticate the user everytime he leaves my
> realm and tries to re-enter again.
>
>
> Some people suggested CGI, some suggest PHP..
>
> I would like to know if JSP can do the job. If yes, what level of
> competence do I know JSP ?
>




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
For additional commands, e-mail: tomcat-user-help@(protected)