Our application authticates users using the basic authentication scheme. Since the user credentials are always part of the request header sent by the browser, how does one implement a 'logoff' ? Is there any way to invalidate a request header ?
Chen, If I remember this correctly, an authentication that was done through BASIC will be valid until the user closes her browser. If the authentication was done via a FORM, then you could simply call invalidate() on the HttpSession and the next fetch would require the user to login again. As always, you will definitely want to double-check this information--but I hope it gets you headed off in the right direction.