W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1997

Re: REAUTHENTICATION REQUIRED

From: Dave Kristol <dmk@bell-labs.com>
Date: Sat, 15 Nov 1997 19:30:02 -0500
Message-Id: <34748CAB.BF7@bell-labs.com>
To: Paul Leach <paulle@microsoft.com>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Paul Leach wrote:
> [...]
> A user agent MUST NOT reuse the same credentials if a substantial amount of
> time has passed without any user activity -- for example, the current user
> may have left their browser, and an unauthorized one started using it. It is
> RECOMMENDED that this time not exceed one hour, and that it be configurable.

I have argued for several years that a browser ought to have a way to
let a user say "forget all my authentication stuff".  However, as a
user, I dislike this suggestion of a timeout.  I keep the browser on my
workstation up as long as the browser and OS don't crash.  I don't
particularly want to have to reauthenticate myself every hour or so.

The problem you're trying to solve is one of machines shared by multiple
users.  Better to address that problem in all its glory (including
shared cookies, for example), than to nibble around the edges with a
timeout for a specific authentication problem.

Dave Kristol
Received on Thursday, 20 November 1997 11:20:07 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:03 EDT