W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2010

Re: Past Proposals for HTTP Auth Logout

From: Albert Lunde <atlunde@panix.com>
Date: Sat, 9 Jan 2010 12:10:09 -0500
To: 'HTTP Working Group' <ietf-http-wg@w3.org>
Message-ID: <20100109171009.GA17007@panix.com>
> Browsers just need to provide a standardized javascript API for setting  
> and flushing the Authorization header (per domain).
>
> 'Logging In and Out' is a purely client-side concern, so it seems a good  
> candidate for solving with code on demand - since there's really no  
> visibility to lose.

I'd argue that the federated case, or even the problem of invalidating
application sessions in a load-balanced web application makes
it a total-system problem.

There does seem to be a user-interface and management issue 
with providing a unified interface to all the possible sorts of login 
credentials, that gives their scope and human meaning.

Off-hand, we've got Basic and Digest Auth passwords, kerberos
tickets in several forms, encrypted cookies, SAML assertions,
and probably stuff tied to session keys in the HTML or URLs.

There are too many messy issues in the big picture...

If I use a magic new feature to "log out" of an intranet site 
autheticated with MSIE, have I just dumped the kerberos tickets 
for our AD domain?

Can you provide a human-readable, non-spoofable way to label
the credentials?

Can the protocol be spoofed 

-- 
    Albert Lunde  albert-lunde@northwestern.edu
                  atlunde@panix.com  (address for personal mail)
Received on Saturday, 9 January 2010 17:27:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:16 GMT