W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2010

Re: Past Proposals for HTTP Auth Logout

From: Albert Lunde <atlunde@panix.com>
Date: Thu, 7 Jan 2010 15:04:48 -0500
To: Tim <tim-projects@sentinelchicken.org>
Cc: ietf-http-wg@w3.org
Message-ID: <20100107200448.GA20292@panix.com>
On Thu, Jan 07, 2010 at 10:24:09AM -0800, Tim wrote:
> Hello,
> 
> I appologize in advance if this is not an appropriate place to ask
> this question.
> 
> I'm doing some research and I'm interested in learning about any past
> proposals to augment HTTP authentication (basic/digest) with a logout
> feature.  I have spent several hours reading mailing list archives and
> searching the web, and while I've found plenty of related information,
> I'm surprised to find no concrete proposals for this feature.
> 
> Surely I'm missing something.  Could someone point me in the right
> direction?

Speaking as a non-expert...

This tends to be a problem that relates to application sessions
as much as to HTTP protocol-level authenication. It seems to be
possible to solve at the level of a single application, and
hard to solve at the next level of federated authetication.

Thus the Shibboleth project is periodically explaining why they
don't provide single logout:

<https://spaces.internet2.edu/display/SHIB2/SLOIssues>

<https://wiki.brown.edu/confluence/display/CISDOC/
Shibboleth+and+Application+Logout+Best+Practices>

The varied way that different HTTP clients handle cookies,
kerberos tickets, and other authentication credentials probably
makes it harder to manage.  

Web Single-Signon systems seem to depend on gimmicks outside the 
scope of HTTP as, such in order to work with existing web
browsers.

-- 
    Albert Lunde  albert-lunde@northwestern.edu
                  atlunde@panix.com  (address for personal mail)
Received on Thursday, 7 January 2010 20:05:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:16 GMT