- From: Jan Algermissen <algermissen1971@mac.com>
- Date: Fri, 08 Jan 2010 09:39:05 +0100
- To: David Morris <dwm@xpasc.com>
- Cc: Nicolas Alvarez <nicolas.alvarez@gmail.com>, ietf-http-wg@w3.org
On Jan 7, 2010, at 10:51 PM, David Morris wrote: > > > On Thu, 7 Jan 2010, Nicolas Alvarez wrote: > >> Tim wrote: >>> I'm doing some research and I'm interested in learning about any >>> past >>> proposals to augment HTTP authentication (basic/digest) with a >>> logout >>> feature. I have spent several hours reading mailing list archives >>> and >>> searching the web, and while I've found plenty of related >>> information, >>> I'm surprised to find no concrete proposals for this feature. >> >> I don't see how that concerns HTTP; it's a missing feature on the >> browsers. >> >> Credentials are sent on every request. All you need is a logout >> button on >> the *browser* that makes it stop sending credentials. Go file feature >> requests to the browser vendors :) > > So on what basis does the browser prompt again? It is likely a > better user > experience if the flush credentials is part of a server response to a > web page logout button which lets both ends know the logout occured > and > takes the user to a page which doesn't immediately present a new > credential dialog. > This is a hypermedia and/or browser issue, not an HTTP issue. The server can send along with the 401 response a representation to display. Maybe the version of the page for unauthenticated users. The browser can display a less annoying dialog or button in the GUI showing the client that it *can* login. Otherwise the client could continue or be redirected to a non-auth version of the Web site. It is just a matter of what the browser makes of the 401 response. It need not display the login dialog right away. Jan -------------------------------------- Jan Algermissen Mail: algermissen@acm.org Blog: http://algermissen.blogspot.com/ Home: http://www.jalgermissen.com --------------------------------------
Received on Friday, 8 January 2010 08:39:43 UTC