W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1998

Re: Security considerations from RE-AUTHENTICATION-REQUESTED

From: Jim Gettys <jg@pa.dec.com>
Date: Fri, 13 Feb 1998 12:10:22 -0800
Message-Id: <9802132010.AA31864@pachyderm.pa.dec.com>
To: Koen Holtman <koen@win.tue.nl>, http-wg@cuckoo.hpl.hp.com
Here's my revision, given Ted and Koen's comments...
				- Jim

15.6 Authentication Credentials and Idle Clients

Existing HTTP clients and user agents typically retain authentication 
information indefinately. HTTP/1.1. does not provide a method for an origin 
server or proxy to force reauthentication. Since clients may be idle for 
extended periods between use (and unauthorized users may have access to 
the user agent during these idle periods), this is a significant defect 
that requires further extensions to HTTP. This is currently under separate 
study. For user agents, there are a number of work-arounds to parts of 
this problem, and we enourage the use of password protection in screen 
savers, idle time-outs, and other methods which mitigate the security 
problems inherent in this problem.
Received on Friday, 13 February 1998 12:15:14 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:13 EDT