REST services basic auth session timeout

rest session web.xml basic-authentication
10,017

You don't need the <session-config> element at all.

What you experience is how browsers implement the authentication protocol.

Briefly the basic authentication (rfc 2617) works like this:

  1. Client requests some resource.

  2. Server recognizes that the resource has a security constraint. Therefore it sends a HTTP 401 "Authorization required" response. The header contains something like...

    WWW-Authenticate: Basic realm="Protected"

  3. The client resends its request, but this time with the credentials (base64-encoded) in the header, e.g. ...

    Authorization: Basic dG9tY2F0OnMzY3JIdA==

  4. The server authenticates the request based on the given credentials and sends the requested resource.

In order to make web browsing convenient for humans virtually every browser caches the credentials until the browser is closed. Every time you reload the page in the browser the "Authorization" entry is sent with the header of the request. Therefore you are not asked for your credentials again while testing your web service with a browser.

With Firefox you can control that behavior. Check out the discussion about Firefox quickly forget HTTP Basic Auth.

Share:
10,017
Runar Halse
Author by

Runar Halse

I'm a software developer and architect with a masters degree from the University in Bergen. I've been working in several domains over the last years, including telecom, tv, logistics and economy.

Updated on June 04, 2022

Comments

  • Runar Halse
    Runar Halse almost 2 years

    I'm working on a restful webservice using basic authentication. In the web xml I have the following:

    <security-constraint>
    <web-resource-collection>
        <web-resource-name>Services</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>User</role-name>
    </auth-constraint>
</security-constraint>
<session-config>
    <session-timeout>1</session-timeout>
</session-config>

    This works as expected: the user must supply a password when interacting with the service.

    However, to conform the more RESTful standards, I think it really should be a stateless service where the session is never created. In other words, I would like to force the clients to supply their credentials for each request.

    If I set the session-timeout to 0 in the web-xml, this is interpreted as "never expire", which is the exact opposite of what I want.

    Is there a simple way to get the session to get invalidated immediately?

  • Runar Halse
    Runar Halse over 11 years
    This is configured as a cookie which makes it possible for the user to browse without supplying the credentials for every request. You are able to specify for how long this cookie/session should be valid.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How can I put a cookie in Jersey RESTful webservice?
Spring RestTemplate session
Python REST POST with basic auth
How to execute saml enabled url in Postman Client without using saml2=disabled?
Guzzle cookies handling
Proper Session Management with REST API
How to create and destroy session in Spring REST Webservice called from Mobile client
Axios: Cannot make call to API with Basic Auth
How to create, manage, associate a session in REST Jersey Web Application
Implementing simple authentication for PHP REST API