- From: Dave Kristol <dmk@research.bell-labs.com>
- Date: Tue, 2 Jan 2001 14:15:42 -0500 (EST)
- To: erik@primedata.org
- Cc: http-wg@cuckoo.hpl.hp.com
"Erik Aronesty" <erik@primedata.org> wrote: > > Dear Sirs, > > Is it required that user agents have a mechanism for expiring or forgetting > the passwords that are used to access HTTP servers? IE: a "logout" button > for HTTP built-in authentication. > > I imagine that this is the sort of requirement that HTTP people think that > this should be in the HTML group - and vice-versa. > > However it is an embarrassing oversight in modern browsers. <sigh> You have touched on one of *my* hot buttons. I have argued for such a thing for, oh, about six years. Obviously without success. As you guess, it's not an HTTP issue, having nothing really to do with the *protocol*. But it's also not an HTML issue, having nothing to do with the content of pages. Rather it's a user interface issue, and thus at the discretion of the browser vendors. And, for whatever reason, they have never been interested in providing a way to discard passwords, except to exit the browser. I can think of two situations where such a feature would be *really* handy: 1) When I'm trying to debug server-side authentication code, and I want to force the browser I'm using to forget its passwords. 2) In an environment where machines are shared (college computer lab, public library, Internet cafe), and I want to discard the passwords I've entered before I leave the machine. Similar reasoning would recommend a feature to discard all cookies, as well, but that's another topic entirely. :-) Dave Kristol
Received on Tuesday, 2 January 2001 11:19:21 UTC