Win a copy of Design for the Mind this week in the Design forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Prompting to relogin on timeout

 
Raj Puri
Ranch Hand
Posts: 189
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am implementing BASIC authontication mechanism. Seems when the timeout is met I can not login. Should Tomcat prompt reprompt with login dialog automatically? I will expect so. How can I force that, now user has to close the browser and restart.
 
Mike Curwen
Ranch Hand
Posts: 3695
IntelliJ IDE Java Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think this is what you're experiencing:
1) BASIC AUTH is protecting your site, so you are prompted by the browser for a login.
2) the AUTH mechanism logs you in, and your browser will now send your authentication token as a header, with each request.
3) once authenticated, your pages can be accessed in an authenticated, but otherwise 'regular' way, and an HttpSession is created by Tomcat.
4) Go away from the PC for a long enough time, and your HttpSession has expired, but your BASIC AUTH header has not.

I think you'll probably have to match the HttpSession expiry behaviour with that of the authentication method you've chosen. BASIC AUTH does not 'expire' until you close the browser window. So you'll need to make your session last at least this long; this will mean "indefinitely".

There is a <session-timeout> element in web.xml that you can set to -1, meaning "will not expire" (until the browser window closes).
 
Raj Puri
Ranch Hand
Posts: 189
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This is what I am doing currently:
I set session time out to 1 minute in web.xml via <session-config> tag.
In my JSP i check if timeout occurred using if newsession(). If it is not a new seesion (i.e. timeout met, session invalidated) I want to re-prompt for login. I am using BASIC authon. It works fine prompts user for login at initial and after 1 minute I leave the PC alone and click my submit button (where I have code to check newsession) the timeout is detected I can see from my coded alert there. I want to send a message to user that session invalidated and then BASIC authon. should send its internal login winodw for user to re-login. Is this doable or I am expecting too much from BASIC?
 
Mike Curwen
Ranch Hand
Posts: 3695
IntelliJ IDE Java Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You're expecting too much from BASIC, I think. Because in your mind, you're relating the Java HttpSession object with an HTTP BASIC AUTH token that is sent in the Header, by your browser.

That your server-side Session object has expired, has nothing to do with your client-side Authentication header. The only way to "un-authenticate" or "expire" this token is to close the browser.

Hmm..... that I know of. Perhaps there *is* a way.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic