W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2010

Re: Past Proposals for HTTP Auth Logout

From: Albert Lunde <atlunde@panix.com>
Date: Thu, 7 Jan 2010 15:04:48 -0500
To: Tim <tim-projects@sentinelchicken.org>
Cc: ietf-http-wg@w3.org
Message-ID: <20100107200448.GA20292@panix.com>
On Thu, Jan 07, 2010 at 10:24:09AM -0800, Tim wrote:
> Hello,
> I appologize in advance if this is not an appropriate place to ask
> this question.
> I'm doing some research and I'm interested in learning about any past
> proposals to augment HTTP authentication (basic/digest) with a logout
> feature.  I have spent several hours reading mailing list archives and
> searching the web, and while I've found plenty of related information,
> I'm surprised to find no concrete proposals for this feature.
> Surely I'm missing something.  Could someone point me in the right
> direction?

Speaking as a non-expert...

This tends to be a problem that relates to application sessions
as much as to HTTP protocol-level authenication. It seems to be
possible to solve at the level of a single application, and
hard to solve at the next level of federated authetication.

Thus the Shibboleth project is periodically explaining why they
don't provide single logout:



The varied way that different HTTP clients handle cookies,
kerberos tickets, and other authentication credentials probably
makes it harder to manage.  

Web Single-Signon systems seem to depend on gimmicks outside the 
scope of HTTP as, such in order to work with existing web

    Albert Lunde  albert-lunde@northwestern.edu
                  atlunde@panix.com  (address for personal mail)
Received on Thursday, 7 January 2010 20:05:16 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:52 UTC