W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2006

Re: security requirements

From: David Morris <dwm@xpasc.com>
Date: Sun, 22 Oct 2006 06:35:57 -0700 (PDT)
To: Henrik Nordstrom <hno@squid-cache.org>
cc: Robert Sayre <sayrer@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <Pine.LNX.4.33.0610220623490.22416-100000@egate.xpasc.com>


It isn't a logout button but a logout capability which is needed. The only
way for an actual logout button to be presented is for there to be an
active GUI. The server needs to be able to flush the stored credentials
via response code, header, etc.

While this is all nice, as the architect of several complex web
applications, I don't find a need for improved support. Any
developer who isn't satisified with the simplistic nature of the
web browser dialog has the freedom to prompt for credentials using
an https: based web page. Serious applications need better underlying
facilities for session authention and management than provided by the
likes of .htaccess, etc. By the time you have worked out the
integration of user authentication owned by the application but
prompted for by the browser via www-authenticate, etc., you will
have long since completed implemenation of a form / database based
implemenation where logout is not an issue.

On Sat, 21 Oct 2006, Henrik Nordstrom wrote:

> fre 2006-10-20 klockan 18:12 -0400 skrev Robert Sayre:
>
> > Also, there is no logout button. I plan to take care of both problems
> > for new schemes in Mozilla.
> >
> > Message body not displayed on HTTP 401 status response
> > <https://bugzilla.mozilla.org/show_bug.cgi?id=271383>
>
> To make webmasters happy you also need to be able to embed the
> credentials input in the 401 status response similar to a forms based
> login, skipping the annoying popup outside of their look and feel
> control..

Waste of time ... and mucking of implementation layers ... if the dialog
isn't suitable, the developer of the web application needs to build it
using web page support which already exists.

>
> > Need a markup widget to clear HTTP credentials
> > <https://bugzilla.mozilla.org/show_bug.cgi?id=355319>

Not at all .. it needs to be an HTTP response code or header. Lets
keep the layers clear.
Received on Sunday, 22 October 2006 13:36:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:53 GMT