On Fri, 2008-12-19 at 12:14 +0000, Kirk, Laurence wrote: > I have apache acting as a proxy and providing authentication to a > JBoss application server . I time out sessions in JBoss but I think > the browser is storing the login details as the user can carry on > without having to log in again. > > Is there a way to force the browser to delete login details , or for > apache to force reauthentication when there is a new session ? > > Has anyone else come across this situation ? > > Thanks, > Laurence > > This e-mail is confidential and is for the addressee only. Please > refer to www.jpmorgancazenove.com/disclaimers/jpmorgancazenove.htm for > important disclaimers and the firm's regulatory position. If you mean "is there a way to clear basic auth settings from the browser", then yes, you can send a 403 response. Once a browser receives a 403, it forgets any authorization it knew from the same realm, and prompts the user for new credentials. If it receives a 2XX or 3XX in response, the browser then remembers those credentials and sends them along with all other requests to the same server, until it receives a 403 response. If you mean "can I make the browser forget 'remembered passwords'", then no, you cant do anything about that. You could be logging them out, they try to access something, apache prompts for basic auth, and the user's browser just resupplies the saved information. That is perfectly valid, and beyond your control. Cheers Tom --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|