W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2010

Re: Past Proposals for HTTP Auth Logout

From: Yutaka OIWA <y.oiwa@aist.go.jp>
Date: Tue, 12 Jan 2010 22:32:16 +0900
To: Tim <tim-projects@sentinelchicken.org>
Cc: ietf-http-wg@w3.org
Message-ID: <8763775tzz.fsf@bluewind.rcis.aist.go.jp>
Tim <tim-projects@sentinelchicken.org> writes:

> Also, what is
> the goal of the location-when-logout design?  Could the body of a 200
> response as I propose not achieve a similar goal?  It's just that it
> seems confusing to mix 2XX/3XX/4XX semantics by having a redirect
> instruction potentially appear in non-3XX response types.

This is to support client-initiated log-out, and generally not
needed for server-initiated log-out as you might guess.

# Clicking a "log-out" link to log-out is a server-initiated log-out.

In our current proposal, when the server request a log-out
a usual positive response with a header
"Authentication-control: Mutual logout-timeout=0" will be sent
from the server. And this will cause the client memory of
the user/pass associated to the current request to be erased.
In this case we can just use usual 302/303 responses for redirection.

However, if a client user requests browser to log-out
(our test implementation browser a "log-out" UI button),
the client will clear a user/pass memory and then "reload" the
current page by default.
While it should be OK to reload a GET request,
it is undesirable to reload other kinds of requests like "POST"s.

# In most cases, the final actions which authenticated users want to
# do will be POST requests (e.g. a "Check out the shopping cart" button :-).

Our "location-when-logout" directive suggests client to change this
default behavior; it will move to a new specified location (with a GET
request), instead of reloading.

# And this is why our draft encourages applications to send an
# appropriate location-when-logout directive for every POST request.

So, it seems to be not similar to a Location in 3XX response for me; it
is more like a special link activated after logging-out.  Another
possible solution may be a special-meaning Link: header, but I think
that our current design is better than that.

Yutaka OIWA, Ph.D.                                       Research Scientist
                            Research Center for Information Security (RCIS)
    National Institute of Advanced Industrial Science and Technology (AIST)
                      Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405 46B5]
Received on Tuesday, 12 January 2010 13:32:53 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 1 October 2015 05:36:38 UTC