W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1998

Re: Security considerations from RE-AUTHENTICATION-REQUESTED

From: Scott Lawrence <lawrence@agranat.com>
Date: Fri, 13 Feb 1998 15:19:22 -0500 (EST)
To: Jim Gettys <jg@pa.dec.com>
Cc: Koen Holtman <koen@win.tue.nl>, http-wg@cuckoo.hpl.hp.com, http-wg@hplb.hpl.hp.com
Message-Id: <Pine.LNX.3.96.980213151521.26622D-100000@alice.agranat.com>


On Fri, 13 Feb 1998, Jim Gettys wrote:

> Here's my revision, given Ted and Koen's comments...
> 				- Jim
> 
> 15.6 Authentication Credentials and Idle Clients
> 
> Existing HTTP clients and user agents typically retain authentication 
> information indefinately. HTTP/1.1. does not provide a method for an origin 
> server or proxy to force reauthentication. Since clients may be idle for 
> extended periods between use (and unauthorized users may have access to 
> the user agent during these idle periods), this is a significant defect 
> that requires further extensions to HTTP. This is currently under separate 
> study. For user agents, there are a number of work-arounds to parts of 
> this problem, and we enourage the use of password protection in screen 
> savers, idle time-outs, and other methods which mitigate the security 
> problems inherent in this problem.

  I believe that the problem is somewhat more general than
reauthentication.  There are times when the web application developer
would like to force the client to discard credentials whether or not they
should then be reaquired.  The simplest example is the often-asked
question: "How do I get the browser to discard the credentials when the
user presses my 'logout' form submit button?".

  We've been going back and forth on the http-ext list about whether this
is the same requirement or not...
Received on Friday, 13 February 1998 12:21:21 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:13 EDT