Y'all, Currently in the demo app (controller-demo) when ever we authenticate a cookie is set to manage the session. When we log out the cookie is expired. On the client side this means we need to manage the cookies somehow. This is done automatically for Android and Javascript when the logout URL is accessed. On Android this access happens via the logout method of AGAuthenticationModule (via a HTTP GET). In the case of HTTP Basic authentication, however, logging out is simply expiring the credentials the user is using on the client side. IE the API should stop caching and sending them. However, because cookie management is automatic and global (currently and also by design in Java) when the controller demo sets the session cookie the cookie store (for the domain) must be explicitly tossed. I don't think this is the correct thing to do. From my perspectives there are a few options. 1) Http-Basic authentication on the server should NOT create a session and the client should NOT expire the cookie store when logout is called on a HttpBasicAuthenticationModule instance. 2) Http-Basic authentication on the server WILL create a session and the client WILL expire the cookie store when logout is called on a HttpBasicAuthenticationModule instance. 3) Http-Basic authentication on the server WILL create a session AND provide a key name and the client WILL expire the cookie value for the key when logout is called on a HttpBasicAuthenticationModule instance. 4) Abstractj comes up with a brilliant idea I haven't thought of. Summers _______________________________________________ aerogear-dev mailing list aerogear-dev(a)lists.jboss.org (mailto:aerogear-dev@lists.jboss.org) https://lists.jboss.org/mailman/listinfo/aerogear-dev