I am implementing BASIC authontication mechanism. Seems when the timeout is met I can not login. Should Tomcat prompt reprompt with login dialog automatically? I will expect so. How can I force that, now user has to close the browser and restart.
I think this is what you're experiencing: 1) BASIC AUTH is protecting your site, so you are prompted by the browser for a login. 2) the AUTH mechanism logs you in, and your browser will now send your authentication token as a header, with each request. 3) once authenticated, your pages can be accessed in an authenticated, but otherwise 'regular' way, and an HttpSession is created by Tomcat. 4) Go away from the PC for a long enough time, and your HttpSession has expired, but your BASIC AUTH header has not.
I think you'll probably have to match the HttpSession expiry behaviour with that of the authentication method you've chosen. BASIC AUTH does not 'expire' until you close the browser window. So you'll need to make your session last at least this long; this will mean "indefinitely".
There is a <session-timeout> element in web.xml that you can set to -1, meaning "will not expire" (until the browser window closes).
Joined: Apr 24, 2003
This is what I am doing currently: I set session time out to 1 minute in web.xml via <session-config> tag. In my JSP i check if timeout occurred using if newsession(). If it is not a new seesion (i.e. timeout met, session invalidated) I want to re-prompt for login. I am using BASIC authon. It works fine prompts user for login at initial and after 1 minute I leave the PC alone and click my submit button (where I have code to check newsession) the timeout is detected I can see from my coded alert there. I want to send a message to user that session invalidated and then BASIC authon. should send its internal login winodw for user to re-login. Is this doable or I am expecting too much from BASIC?