[aerogear-dev] Cookie Management specifically Authentication
Summers Pittman
supittma at redhat.com
Tue Apr 30 10:53:11 EDT 2013
Y'all,
Currently in the demo app (controller-demo) when ever we authenticate a
cookie is set to manage the session. When we log out the cookie is expired.
On the client side this means we need to manage the cookies somehow.
This is done automatically for Android and Javascript when the logout
URL is accessed. On Android this access happens via the logout method
of AGAuthenticationModule (via a HTTP GET).
In the case of HTTP Basic authentication, however, logging out is simply
expiring the credentials the user is using on the client side. IE the
API should stop caching and sending them. However, because cookie
management is automatic and global (currently and also by design in
Java) when the controller demo sets the session cookie the cookie store
(for the domain) must be explicitly tossed. I don't think this is the
correct thing to do.
From my perspectives there are a few options.
1) Http-Basic authentication on the server should NOT create a session
and the client should NOT expire the cookie store when logout is called
on a HttpBasicAuthenticationModule instance.
2) Http-Basic authentication on the server WILL create a session and the
client WILL expire the cookie store when logout is called on a
HttpBasicAuthenticationModule instance.
3) Http-Basic authentication on the server WILL create a session AND
provide a key name and the client WILL expire the cookie value for the
key when logout is called on a HttpBasicAuthenticationModule instance.
4) Abstractj comes up with a brilliant idea I haven't thought of.
Summers
More information about the aerogear-dev
mailing list