Re: Past Proposals for HTTP Auth Logout from Jan Algermissen on 2010-01-08 (ietf-http-wg@w3.org from January to March 2010)

From: Jan Algermissen <algermissen1971@mac.com>
Date: Fri, 08 Jan 2010 20:27:07 +0100
To: 'HTTP Working Group' <ietf-http-wg@w3.org>
Message-id: <47202E96-F7EE-46D2-A87F-B42B44090D38@mac.com>

On Jan 8, 2010, at 8:02 PM, David Morris wrote:

>
>
> On Fri, 8 Jan 2010, Jan Algermissen wrote:
>
>> [..]
>> This is a hypermedia and/or browser issue, not an HTTP issue. The  
>> server can send along with the 401 response a representation to  
>> display. Maybe the version of the page for unauthenticated users.  
>> The browser can display a less annoying dialog or button in the GUI  
>> showing the client that it *can* login. Otherwise the client could  
>> continue or be redirected to a non-auth version of the Web site.
>>
>> It is just a matter of what the browser makes of the 401 response.  
>> It need not display the login dialog right away.
>
> That is really not true ... what any part of the process 'could' or  
> 'can'
> do is not relavent to interoperability. The point of standards is  
> that all
> parties know what is expected of their behavior and what they can  
> expect
> from the other parties.
>
> web authentication lacks a specified way to close the door once it  
> is open. Providing a door close function is a requirement on HTTP.

But how can it be any simpler (and thus easier to understand) than to  
send with each request the credentials if the intention is to  
authenticate for a protected resource? And to tell the browser to stop  
sending them (and forget them if desired)?

Most browsers today ask for auto-auth behavior for non HTTP  
authentication anyway - just copying the standard behaviour of how  
HTTO auth is implemented in browsers.

I think what would maybe address your worries is if the browser  
displayed the used credentials in the GUI on a per-page basis so you;d  
know what is going on. OTH, most sites do atht anyhow by displaying  
'You are logged in as foo' on the page.

Jan



>
> There is sufficient evidence after 15 years that browser  
> implementors haven't chosen to implement even a simple credential  
> flush dialog. When you use a browser to access www-auth protected  
> content, do you have a solid understanding of when your credentials  
> are invalidated? Or exactly
> how they are used? If you use multiple browser windows, opened as  
> processes? Opened as new windows? How about tabs? I have no  
> confidence that I understand the span of applicability with anything  
> short of rebooting the system insuring credentials are purged. I've  
> been an implementor of web technology based applications since 1994.  
> If I'm not confident, how do you expect the average user to even  
> understand there
> to be a problem?
>

--------------------------------------
Jan Algermissen

Mail: algermissen@acm.org
Blog: http://algermissen.blogspot.com/
Home: http://www.jalgermissen.com
--------------------------------------

Received on Friday, 8 January 2010 19:28:00 UTC