W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2010

Re: Past Proposals for HTTP Auth Logout

From: Tim <tim-projects@sentinelchicken.org>
Date: Thu, 7 Jan 2010 14:29:19 -0800
To: Albert Lunde <atlunde@panix.com>
Cc: ietf-http-wg@w3.org
Message-ID: <20100107222919.GG2291@sentinelchicken.org>
> This tends to be a problem that relates to application sessions
> as much as to HTTP protocol-level authenication. It seems to be
> possible to solve at the level of a single application, and
> hard to solve at the next level of federated authetication.

Ok, I suppose things might get complicated at a SSO/federated level.
The vast majority of applications don't currently need to worry about
this.  I guess it's important to think about in relation to digest
authentication though, since it does support SSO-like features.

> Thus the Shibboleth project is periodically explaining why they
> don't provide single logout:
> <https://spaces.internet2.edu/display/SHIB2/SLOIssues>
> <https://wiki.brown.edu/confluence/display/CISDOC/
> Shibboleth+and+Application+Logout+Best+Practices>
> The varied way that different HTTP clients handle cookies,
> kerberos tickets, and other authentication credentials probably
> makes it harder to manage.  
> Web Single-Signon systems seem to depend on gimmicks outside the 
> scope of HTTP as, such in order to work with existing web
> browsers.

Sounds complicated...  I'll have to read up on it more.

Received on Thursday, 7 January 2010 22:29:47 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:52 UTC