This class's sole purpose is to defeat the persistence of Basic-Auth credentials in the browser. The mechanism used
to accomplish this is to detect an expired (invalid) HttpSession from the client.
If the first request after a session becomes invalid is a Basic-Auth request, we automatically deny, forcing
re-authentication.
The second path is if the first request after session invalidation is not a basic-auth (user manually logged out and
was presented with the login page), we drop a cookie in the response noting the event. The next request with
Basic-Auth and a valid HttpSession checks for this cookie and if present, forces reauthentication.
User: nbaker Date: 8/15/13