1 Reply Latest reply on Nov 12, 2001 12:59 PM by J. Wolfgang Kaltz

    Login Module

    Ralph Lynn Newbie

      I've created a login module that seems to handle both authentication and authorization. I'm using form based login for my webapp. However, in the following scenario, the login() method doesn't seem to get called and I'm not sure why...

      1. Browse to protected area
      2. Login Form displayed
      login() method called
      3. Submit Login form with username and password
      login(), commit() methods called
      4. User authenticated
      5. Close Browser

      If I open the browser and surf to the protected area and attempt to login as the same user, the login() method is never called. I think this is because the user data is cached on the server side. Is there any way to force a logout when the browser is closed?

      Ralph

        • 1. Re: Login Module
          J. Wolfgang Kaltz Novice

          Yes, the server does cache the credentials, but this need not be a problem for you : if the user provides the same username & password again, then it's OK right ? If the user provides the same username but a different password, the server would do a login() so you're still safe.

          At any case you can't do anything on browser closing (except maybe with JavaScript or some other screwy thing). What you can do, is an explicit "logout" button in your application, and invalidate the http session when this is called. This can also give you a hook to do something with your ejbs (search the forums for HttpSessionBindingListener, there was some discussion on this a while back)