W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 2001

RE: Logout

From: Tom McLaren <tom@mclaren.tc>
Date: Wed, 3 Jan 2001 09:47:57 -0000
To: "Erik Aronesty" <erik@primedata.org>
Cc: <http-wg@cuckoo.hpl.hp.com>
Message-ID: <DEEDIPFNGKJGJCCFAMIGEECLCAAA.tom@mclaren.tc>
I agree that a "logout" type button should certainly be implemented. I'm
interested in your choice of words however, naming the non-provision of an
HTTP server cache clearance request as a security hole. In my opinion it is
the responsibility of the site to provide some form of timeout security. To
provide an HTTP type clearance of the cache is exposing the agent to what
amounts to control by a third party. Surely this would constitute a greater
threat to security and not be a road to wander down without serious
consideration of the potential future implications?

Tom

> -----Original Message-----
> From: Erik Aronesty [mailto:erik@primedata.org]
> Sent: 02 January 2001 21:15
> To: Erik Aronesty; Scott Lawrence
> Cc: http-wg@cuckoo.hpl.hp.com; support@microsoft.com
> Subject: Re: Logout
>
>
>
> Sorry I found it... there is a recommendation,
>
>     Microsoft and Netscape just blindly ignore it:
>
> Section 15.6 "Authentication Credentials and Idle Clients":
>
>  "In particular, user agents which cache credentials are
>    encouraged to provide a readily accessible mechanism for discarding
>    cached credentials under user control."
>
> Which neither do - even though it's a security hole.
>
>                 - Erik
>
> ----- Original Message -----
> From: "Erik Aronesty" <erik@primedata.org>
> To: "Scott Lawrence" <slawrence@virata.com>
> Cc: <http-wg@cuckoo.hpl.hp.com>
> Sent: Tuesday, January 02, 2001 4:12 PM
> Subject: Re: Logout
>
>
> > > > the passwords that are used to access HTTP servers?  IE: a "logout"
> > button
> > > > for HTTP built-in authentication.
> > > >
> > > > I imagine that this is the sort of requirement that HTTP
> people think
> > that
> > > > this should be in the HTML group - and vice-versa.
> > > >
> > > > However it is an embarrassing oversight in modern browsers.
> > >
> > > One that some of us have tried hard to overcome, to no avail.  The
> > > basic problem is that the browser vendors have listened carefully to
> > > what thier customers want, and have heard loud and clear that they
> > > don't want to have to remember passwords.
> >
> > Over 600 users have asked us within the last year how to "log out" of
> sites
> > such as etrade and daytek which use HTTP based authentication.
> >
> > Browser customers don't want to remember passwords - however they want
> > a "logout button" as well.  This is not a paradox and there is no
> > inextricable reason why
> > browsers can't cache usr information but have a button for "clearing the
> > cache"
> >
> > I think the real reason that this has not been done is because
> both major
> > browsers today have other agendas regarding network access and security.
> >
> > Currently there is no way to clear the cache by having an HTTP server
> > request
> > it to be cleared - or by a user initiating the clearing of this
> information.
> > This
> > is a basic security leak - and should be plugged.
> >
> > > Paul Leach of Microsoft and I attempted to provide a framework for a
> > > solution to this and some related problems in a submission to the
> > > W3C (User Agent Authentication Forms) in February of 1999:
> > >
> > >     http://www.w3.org/TR/1999/NOTE-authentform-19990203
> >
> >
> > However, this is a "forms based" solution which undermines digest
> > authentication
> > and other more "standard" forms of authentication - that have
> proved very
> > helpful
> > to developers of web applications.
> >
> > Simply, there should be one line added to section 4.13
> >
> >     ftp://ftp.isi.edu/in-notes/rfc2617.txt
> >
> > "It is reccomended that the authenticating agent provide a set
> mechanisms
> > for
> > removing entries from the "password file" associated with a given realm,
> for
> > the purposes of logging out of a system."
> >
> > And that's about all that's necessary.
> >
> > I don't think it needs a whole RFC ... just an addendum to
> existing ones.
> >
> >             - Erik
> >
>
>
>
Received on Wednesday, 3 January 2001 09:59:23 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:41 EDT