W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 2001

RE: Logout

From: Tom McLaren <tom@mclaren.tc>
Date: Tue, 2 Jan 2001 20:25:26 -0000
To: <http-wg@cuckoo.hpl.hp.com>
Message-ID: <DEEDIPFNGKJGJCCFAMIGAECHCAAA.tom@mclaren.tc>
<apologies for resend>

Excuse me if I'm missing the point, but with IE (my browser of choice),
isn't this addressed by the autocomplete option, esp. the ability to clear
passwords/details? Also, on shared PCs, I find deleting temporary files when
I leave a necessity.

An interesting point raised is whether browser vendors should expose what is
primarily internal functionality to aid the user (e.g. password remembrance)
to external (primarily display only) data. Similar to Java access
permissions? Hmmm ...

-----Original Message-----
From: Dave Kristol [mailto:dmk@research.bell-labs.com]
Sent: 02 January 2001 19:16
To: erik@primedata.org
Cc: http-wg@cuckoo.hpl.hp.com
Subject: Re: Logout


"Erik Aronesty" <erik@primedata.org> wrote:
  >
  > Dear Sirs,
  >
  > Is it required that user agents have a mechanism for expiring or
forgetting
  > the passwords that are used to access HTTP servers?  IE: a "logout"
button
  > for HTTP built-in authentication.
  >
  > I imagine that this is the sort of requirement that HTTP people think
that
  > this should be in the HTML group - and vice-versa.
  >
  > However it is an embarrassing oversight in modern browsers.

<sigh>

You have touched on one of *my* hot buttons.  I have argued for such a
thing for, oh, about six years.  Obviously without success.  As you
guess, it's not an HTTP issue, having nothing really to do with the
*protocol*.  But it's also not an HTML issue, having nothing to do with
the content of pages.  Rather it's a user interface issue, and thus at
the discretion of the browser vendors.  And, for whatever reason, they
have never been interested in providing a way to discard passwords,
except to exit the browser.

I can think of two situations where such a feature would be *really*
handy:

1) When I'm trying to debug server-side authentication code, and I want
to force the browser I'm using to forget its passwords.

2) In an environment where machines are shared (college computer lab,
public library, Internet cafe), and I want to discard the passwords
I've entered before I leave the machine.

Similar reasoning would recommend a feature to discard all cookies, as
well, but that's another topic entirely. :-)

Dave Kristol
Received on Tuesday, 2 January 2001 20:37:12 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:41 EDT