[aerogear-dev] Cookie Management specifically Authentication

Bruno Oliveira bruno at abstractj.org
Tue Apr 30 13:26:31 EDT 2013 

At first glance the 2nd idea looks good, the item 4 is the worst idea ever :) 


-- 
"The measure of a man is what he does with power" - Plato
-
@abstractj
-
Volenti Nihil Difficile



On Tuesday, April 30, 2013 at 11:53 AM, Summers Pittman wrote:

> Y'all,
> 
> Currently in the demo app (controller-demo) when ever we authenticate a 
> cookie is set to manage the session. When we log out the cookie is expired.
> 
> On the client side this means we need to manage the cookies somehow. 
> This is done automatically for Android and Javascript when the logout 
> URL is accessed. On Android this access happens via the logout method 
> of AGAuthenticationModule (via a HTTP GET).
> 
> In the case of HTTP Basic authentication, however, logging out is simply 
> expiring the credentials the user is using on the client side. IE the 
> API should stop caching and sending them. However, because cookie 
> management is automatic and global (currently and also by design in 
> Java) when the controller demo sets the session cookie the cookie store 
> (for the domain) must be explicitly tossed. I don't think this is the 
> correct thing to do.
> 
> From my perspectives there are a few options.
> 
> 1) Http-Basic authentication on the server should NOT create a session 
> and the client should NOT expire the cookie store when logout is called 
> on a HttpBasicAuthenticationModule instance.
> 
> 2) Http-Basic authentication on the server WILL create a session and the 
> client WILL expire the cookie store when logout is called on a 
> HttpBasicAuthenticationModule instance.
> 
> 3) Http-Basic authentication on the server WILL create a session AND 
> provide a key name and the client WILL expire the cookie value for the 
> key when logout is called on a HttpBasicAuthenticationModule instance.
> 
> 4) Abstractj comes up with a brilliant idea I haven't thought of.
> 
> Summers
> 
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org (mailto:aerogear-dev at lists.jboss.org)
> https://lists.jboss.org/mailman/listinfo/aerogear-dev

More information about the aerogear-dev mailing list