On Thu, Jan 07, 2010 at 10:24:09AM -0800, Tim wrote: > Hello, > > I appologize in advance if this is not an appropriate place to ask > this question. > > I'm doing some research and I'm interested in learning about any past > proposals to augment HTTP authentication (basic/digest) with a logout > feature. I have spent several hours reading mailing list archives and > searching the web, and while I've found plenty of related information, > I'm surprised to find no concrete proposals for this feature. > > Surely I'm missing something. Could someone point me in the right > direction? Speaking as a non-expert... This tends to be a problem that relates to application sessions as much as to HTTP protocol-level authenication. It seems to be possible to solve at the level of a single application, and hard to solve at the next level of federated authetication. Thus the Shibboleth project is periodically explaining why they don't provide single logout: <https://spaces.internet2.edu/display/SHIB2/SLOIssues> <https://wiki.brown.edu/confluence/display/CISDOC/ Shibboleth+and+Application+Logout+Best+Practices> The varied way that different HTTP clients handle cookies, kerberos tickets, and other authentication credentials probably makes it harder to manage. Web Single-Signon systems seem to depend on gimmicks outside the scope of HTTP as, such in order to work with existing web browsers. -- Albert Lunde albert-lunde@northwestern.edu atlunde@panix.com (address for personal mail)Received on Thursday, 7 January 2010 20:05:16 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:16 GMT