W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2010

Re: Past Proposals for HTTP Auth Logout

From: Tim <tim-projects@sentinelchicken.org>
Date: Sat, 9 Jan 2010 15:19:39 -0800
To: Mike Kelly <mike@mykanjo.co.uk>
Cc: 'HTTP Working Group' <ietf-http-wg@w3.org>
Message-ID: <20100109231938.GA2316@sentinelchicken.org>
> Browsers just need to provide a standardized javascript API for
> setting and flushing the Authorization header (per domain).

This is a possible solution, if all browsers supported JavaScript.
Most don't.  Most only support ECMAScript and I'm sure you know how
ugly this stuff gets in practice.

At a more abstract level, HTTP handles log-ins in stateful
authentication protocols, but you're asking JavaScript to handle log
outs.  This asymmetry seems confusing.

> 'Logging In and Out' is a purely client-side concern, so it seems a
> good candidate for solving with code on demand - since there's
> really no visibility to lose.

No, I think you're mistaken here.  It is also a concern for
cryptographic protocols.  Typically, any secure protocol will define
some kind of session key which needs to be forgotten once the session
is over.  Server and client need to synchronize this.

Regards,
tim
Received on Saturday, 9 January 2010 23:20:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:16 GMT