9:53 a.m.
Y'all,
Currently in the demo app (controller-demo) when ever we authenticate a
cookie is set to manage the session. When we log out the cookie is expired.
On the client side this means we need to manage the cookies somehow.
This is done automatically for Android and Javascript when the logout
URL is accessed. On Android this access happens via the logout method
of AGAuthenticationModule (via a HTTP GET).
In the case of HTTP Basic authentication, however, logging out is simply
expiring the credentials the user is using on the client side. IE the
API should stop caching and sending them. However, because cookie
management is automatic and global (currently and also by design in
Java) when the controller demo sets the session cookie the cookie store
(for the domain) must be explicitly tossed. I don't think this is the
correct thing to do.
From my perspectives there are a few options.
1) Http-Basic authentication on the server should NOT create a session
and the client should NOT expire the cookie store when logout is called
on a HttpBasicAuthenticationModule instance.
2) Http-Basic authentication on the server WILL create a session and the
client WILL expire the cookie store when logout is called on a
HttpBasicAuthenticationModule instance.
3) Http-Basic authentication on the server WILL create a session AND
provide a key name and the client WILL expire the cookie value for the
key when logout is called on a HttpBasicAuthenticationModule instance.
4) Abstractj comes up with a brilliant idea I haven't thought of.
Summers
12:26 p.m.
At first glance the 2nd idea looks good, the item 4 is the worst idea ever :)
--
"The measure of a man is what he does with power" - Plato
-
@abstractj
-
Volenti Nihil Difficile
On Tuesday, April 30, 2013 at 11:53 AM, Summers Pittman wrote:
Y'all,
Currently in the demo app (controller-demo) when ever we authenticate a
cookie is set to manage the session. When we log out the cookie is expired.
On the client side this means we need to manage the cookies somehow.
This is done automatically for Android and Javascript when the logout
URL is accessed. On Android this access happens via the logout method
of AGAuthenticationModule (via a HTTP GET).
In the case of HTTP Basic authentication, however, logging out is simply
expiring the credentials the user is using on the client side. IE the
API should stop caching and sending them. However, because cookie
management is automatic and global (currently and also by design in
Java) when the controller demo sets the session cookie the cookie store
(for the domain) must be explicitly tossed. I don't think this is the
correct thing to do.
From my perspectives there are a few options.
1) Http-Basic authentication on the server should NOT create a session
and the client should NOT expire the cookie store when logout is called
on a HttpBasicAuthenticationModule instance.
2) Http-Basic authentication on the server WILL create a session and the
client WILL expire the cookie store when logout is called on a
HttpBasicAuthenticationModule instance.
3) Http-Basic authentication on the server WILL create a session AND
provide a key name and the client WILL expire the cookie value for the
key when logout is called on a HttpBasicAuthenticationModule instance.
4) Abstractj comes up with a brilliant idea I haven't thought of.
Summers
_______________________________________________
aerogear-dev mailing list
aerogear-dev(a)lists.jboss.org (mailto:aerogear-dev@lists.jboss.org)
https://lists.jboss.org/mailman/listinfo/aerogear-dev
4258
days inactive
4258
days old
1 comments
2 participants
participants (2)
-
Bruno Oliveira -
Summers Pittman